View Issue Details

IDProjectCategoryView StatusLast Update
0011825mantisbtsecuritypublic2012-09-03 04:31
Reporterdhx Assigned Todhx  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.1Fixed in Version1.2.1 
Summary0011825: Support X-Content-Security-Policy (CSP)
Description

Background information on CSP:
https://wiki.mozilla.org/Security/CSP/Design_Considerations

The specifications:
https://wiki.mozilla.org/Security/CSP/Specification

This is a feature planned for Firefox 3.7. In other browsers that don't support X-Content-Security-Policy, this feature is ignored gracefully.

Essentially it adds another layer of security against XSS, CSRF and clickjacking attacks.

TagsNo tags attached.

Relationships

related to 0011824 closeddhx Implement X-Frame-Options clickjacking protection 
related to 0011826 closeddhx Remove all inline JavaScript from MantisBT (use external scripts instead) 
related to 0012165 acknowledged Allow mantis to be loaded in an iframe 
related to 0014679 closeddregad Support Content-Security-Policy (CSP) per W3C specification 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.2.x d2e05d3e

2010-04-22 08:26:26

dhx

Details Diff
Issue 0011825: Support X-Content-Security-Policy (CSP)

Firefox 3.7 supports a new security mechanism called Content Security
Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking
attacks.

We can ensure that MantisBT doesn't load any files (images, scripts,
etc) from external domains by using CSP. The exception to this rule at
the moment is the use of Gravatar for user avatar support in MantisBT.

CSP also allows us to limit the domains which can include MantisBT
within an iframe, helping prevent clickjacking attacks. At the moment we
don't allow MantisBT to be included in any iframes from any domain.

In the future we'll need to create a mechanism for plugins to notify
MantisBT of other domains that are safe to load external data from.
Affected Issues
0011825
mod - core/http_api.php Diff File

MantisBT: master 517cd271

2010-04-22 08:26:26

dhx

Details Diff
Issue 0011825: Support X-Content-Security-Policy (CSP)

Firefox 3.7 supports a new security mechanism called Content Security
Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking
attacks.

We can ensure that MantisBT doesn't load any files (images, scripts,
etc) from external domains by using CSP. The exception to this rule at
the moment is the use of Gravatar for user avatar support in MantisBT.

CSP also allows us to limit the domains which can include MantisBT
within an iframe, helping prevent clickjacking attacks. At the moment we
don't allow MantisBT to be included in any iframes from any domain.

In the future we'll need to create a mechanism for plugins to notify
MantisBT of other domains that are safe to load external data from.
Affected Issues
0011825
mod - core/http_api.php Diff File

Issue History

Date Modified Username Field Change
2010-04-22 03:59 dhx New Issue
2010-04-22 03:59 dhx Status new => assigned
2010-04-22 03:59 dhx Assigned To => dhx
2010-04-22 04:32 dhx Summary Support X-Security-Content-Policy (CSP) => Support X-Content-Security-Policy (CSP)
2010-04-22 04:32 dhx Description Updated View Revisions
2010-04-22 04:33 dhx Changeset attached => MantisBT master-1.2.x d2e05d3e
2010-04-22 04:33 dhx Changeset attached => MantisBT master 517cd271
2010-04-22 04:33 dhx Status assigned => resolved
2010-04-22 04:33 dhx Fixed in Version => 1.2.1
2010-04-22 04:33 dhx Resolution open => fixed
2010-04-22 04:37 dhx Relationship added related to 0011826
2010-04-22 04:37 dhx Relationship added related to 0011824
2010-04-23 14:30 jreese Status resolved => closed
2010-07-13 17:58 dhx Relationship added related to 0012165
2012-09-03 04:31 dregad Issue cloned: 0014679
2012-09-03 04:31 dregad Relationship added related to 0014679