View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011824 | mantisbt | security | public | 2010-04-22 03:48 | 2013-04-07 11:01 |
Reporter | dhx | Assigned To | dhx | ||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.2.1 | Fixed in Version | 1.2.1 | ||
Summary | 0011824: Implement X-Frame-Options clickjacking protection | ||||
Description | References on what X-Frame-Options is: Essentially by sending X-Frame-Options: DENY as a HTTP header we prevent MantisBT from being loaded inside an iframe. This prevents MantisBT from being the target of clickjacking attacks (which bypass CSRF protection). There could be some limited use cases for framing MantisBT (Google Image results) however we have single-click action buttons on view.php that could be the target of clickjacking attacks. Some browsers do give the user the option to open the frame in a new window anyway (and Google Images has a button to load the site outside of a frame). | ||||
Tags | No tags attached. | ||||
related to | 0011825 | closed | dhx | Support X-Content-Security-Policy (CSP) |
related to | 0012165 | acknowledged | Allow mantis to be loaded in an iframe | |
related to | 0013542 | closed | rombert | in MantisGraph, function "Show as Table" try to open an iframe and fail |
related to | 0015724 | closed | atrol | Allow administrators to customize X-Frame-Options header |
MantisBT: master-1.2.x 3cd065de 2010-04-22 04:02 Details Diff |
Issue 0011824: Implement X-Frame-Options clickjacking protection The X-Frame-Options header can help prevent clickjacking attacks against MantisBT installations by preventing MantisBT from being loaded inside an iframe. Currently the following browsers support X-Frame-Options: * IE8+ * Opera 10.50+ * Safari 4+ * Chrome 4.1.249.1042+ * Firefox with NoScript |
Affected Issues 0011824 |
|
mod - core/http_api.php | Diff File | ||
MantisBT: master d9db796f 2010-04-22 04:02 Details Diff |
Issue 0011824: Implement X-Frame-Options clickjacking protection The X-Frame-Options header can help prevent clickjacking attacks against MantisBT installations by preventing MantisBT from being loaded inside an iframe. Currently the following browsers support X-Frame-Options: * IE8+ * Opera 10.50+ * Safari 4+ * Chrome 4.1.249.1042+ * Firefox with NoScript |
Affected Issues 0011824 |
|
mod - core/http_api.php | Diff File |