View Issue Details

IDProjectCategoryView StatusLast Update
0011824mantisbtsecuritypublic2013-04-07 11:01
Reporterdhx Assigned Todhx  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.1Fixed in Version1.2.1 
Summary0011824: Implement X-Frame-Options clickjacking protection
Description

References on what X-Frame-Options is:
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
http://blogs.msdn.com/ieinternals/archive/2010/03/30/Combating-ClickJacking-with-X-Frame-Options.aspx

Essentially by sending X-Frame-Options: DENY as a HTTP header we prevent MantisBT from being loaded inside an iframe. This prevents MantisBT from being the target of clickjacking attacks (which bypass CSRF protection).

There could be some limited use cases for framing MantisBT (Google Image results) however we have single-click action buttons on view.php that could be the target of clickjacking attacks. Some browsers do give the user the option to open the frame in a new window anyway (and Google Images has a button to load the site outside of a frame).

TagsNo tags attached.

Relationships

related to 0011825 closeddhx Support X-Content-Security-Policy (CSP) 
related to 0012165 acknowledged Allow mantis to be loaded in an iframe 
related to 0013542 closedrombert in MantisGraph, function "Show as Table" try to open an iframe and fail 
related to 0015724 closedatrol Allow administrators to customize X-Frame-Options header 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.2.x 3cd065de

2010-04-22 04:02

dhx


Details Diff
Issue 0011824: Implement X-Frame-Options clickjacking protection

The X-Frame-Options header can help prevent clickjacking attacks against
MantisBT installations by preventing MantisBT from being loaded inside
an iframe.

Currently the following browsers support X-Frame-Options:
* IE8+
* Opera 10.50+
* Safari 4+
* Chrome 4.1.249.1042+
* Firefox with NoScript
Affected Issues
0011824
mod - core/http_api.php Diff File

MantisBT: master d9db796f

2010-04-22 04:02

dhx


Details Diff
Issue 0011824: Implement X-Frame-Options clickjacking protection

The X-Frame-Options header can help prevent clickjacking attacks against
MantisBT installations by preventing MantisBT from being loaded inside
an iframe.

Currently the following browsers support X-Frame-Options:
* IE8+
* Opera 10.50+
* Safari 4+
* Chrome 4.1.249.1042+
* Firefox with NoScript
Affected Issues
0011824
mod - core/http_api.php Diff File