MantisBT 1.2.1 introduced anti-clickjacking features in the form of both X-Content-Security Policy and X-Frame-Options HTTP headers. SHODAN is a search engine that allows the searching of HTTP server fingerprints obtained from internet facing hosts. If we search for X-Frame-Options in SHODAN’s database, just over 7000 results are returned. Performing the same check for the X-Content-Security-Policy header returns just over 90 results. Interestingly, the great majority of search results for X-Content-Security-Policy are MantisBT installations. It therefore appears that other web applications (and websites) have yet to implement X-Content-Security-Policy in readiness for the stable release of Firefox 4.
7 thoughts on “Progress towards fully implementing X-Content-Security-Policy”
Great! I would say, take a look of how Drupal implements this and temperating. Maybe even Adhere, and you get the benefit of not reinventing the wheel 😉 Maybe even better to make a Drupal module for MantisBT and use Drupal as a “Theming engine” something to think about… After all it’s opensource and better to improve by using good ideas than stalled progress because the need to make it from scratch. Anyhow BIG thanks for making security a priority.
your dokuwiki is down.
wiki is up again 🙂
no, sorry, the wiki in the DEMO install is down:
There is this library that could be used as a template layer. New BSD License, and uses a syntax similar to Django.
There’s still some work going on regarding autoescaping, but manually escaping template variables works seamlessly.
We use mantis Mantis 1.2.0a2 at work and Firefox 4.0b8.
I can get anything shown.
I use IE Tab specially for Mantis.
Comments are closed.