MantisBT: master 517cd271

Author Committer Branch Timestamp Parent
dhx dhx master 2010-04-22 08:26:26 master d9db796f
Affected Issues  0011825: Support X-Content-Security-Policy (CSP)
Changeset

Issue 0011825: Support X-Content-Security-Policy (CSP)

Firefox 3.7 supports a new security mechanism called Content Security
Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking
attacks.

We can ensure that MantisBT doesn't load any files (images, scripts,
etc) from external domains by using CSP. The exception to this rule at
the moment is the use of Gravatar for user avatar support in MantisBT.

CSP also allows us to limit the domains which can include MantisBT
within an iframe, helping prevent clickjacking attacks. At the moment we
don't allow MantisBT to be included in any iframes from any domain.

In the future we'll need to create a mechanism for plugins to notify
MantisBT of other domains that are safe to load external data from.

mod - core/http_api.php Diff File