In November of 2010 I provided a progress update on work performed to ensure MantisBT 1.3.x fully supports the X-Content-Security-Policy feature of Firefox 4. At the time, MantisBT was only providing partial support of X-Content-Security-Policy due to a large amount of inline JavaScript contained within pages MantisBT was returning to clients. I am pleased to report that as of late December 2010, MantisBT no longer produces inline JavaScript in page outputs. This means that the following HTML output is no longer permitted in any part of MantisBT’s XHTML page output: onchange=”…” attributes, <script…>some_code();</script> and <a href=”javascript:some_code()”…
Browsers supporting X-Content-Security-Policy will not be at risk of having malicious JavaScript code execute as a result of Cross Site Scripting (XSS) vulnerabilities discovered in MantisBT core or any MantisBT plugins. Attackers looking to exploit XSS vulnerabilities are therefore severely restricted in what they can accomplish. For the most part, a XSS vulnerability in MantisBT will only lead to partial page defacements – an annoyance rather than a major security concern. The remaining risk is that attackers could trick a user into clicking on an innocent looking hyperlink to launch an external web site that aims to attack their browser. To counter this risk it is recommended that you use NoScript (or similar) to control which domains have the ability to execute JavaScript within your browser. Because MantisBT 1.2.0 (since July 2009) and all later versions fully implement Cross Site Request Forgery (CSRF) the malicious hyperlinks placed in a hypothetical XSS attack on MantisBT can not be used to maliciously perform actions on behalf of the user (even if the user has clicked on a maliciously placed hyperlink).
There is a some work remaining on the X-Content-Security-Policy implementation (and by extension, the implementation of X-Frame-Options) to make it easier for plugin developers to allow remote scripts on other domains to be executed. Further to that point we need to make it easier for users to allow their MantisBT instance to be loaded within an iframe from a list of domains they trust for that purpose.
In my November 2010 progress update I mentioned that MantisBT is one of very few web applications implementing X-Content-Security-Policy. This is still the case and we hope that other web application developers (and browser vendors) will jump on the bandwagon to provide this additional security layer to their users.