View Issue Details

IDProjectCategoryView StatusLast Update
0012165mantisbtsecuritypublic2014-01-23 17:54
Reporterneilc Assigned To 
Status acknowledgedResolutionopen 
Product Version1.2.0 
Summary0012165: Allow mantis to be loaded in an iframe

Currently the mantis security policy does not allow mantis to be loaded inside an iframe (by browsers that support this feature). It would be nice to have a config option to disable this behaviour or to allow particular domains/URLs to load mantis in an iframe.

Additional Information

For now, editing http_security_headers() in http_api.php is the only way to make this work.

TagsNo tags attached.


related to 0011824 closeddhx Implement X-Frame-Options clickjacking protection 
related to 0011825 closeddhx Support X-Content-Security-Policy (CSP) 
has duplicate 0013129 closedatrol firefox 3.5 and later cannot handle mantis put into a frame 
has duplicate 0015724 closedatrol Allow administrators to customize X-Frame-Options header 




2010-07-13 17:59

reporter   ~0026073

Reference for manually editing http_api.php:



2013-04-07 11:22

reporter   ~0036534

Users actually need to do this for valid use cases, see . I think that it's not such a large change and can be targeted to 1.2.x. If you disagree feel free to move back to 1.3.x, as this is not my area of expertise.



2013-04-09 18:36

developer   ~0036558

I just think that, in light of current discussion on the mailing list, we should probably avoid putting anything new in scope for 1.2.x, at least we reach a decision in a few days (hopefully ;)



2013-04-10 02:59

reporter   ~0036560

I'm not going to push anything to 1.2.x until we have a way to go forward with the next versions.



2013-04-27 18:26

developer   ~0036699

Removed assignment. dhx will not contribute to this issue in near future.

Issue History

Date Modified Username Field Change
2010-07-13 11:08 neilc New Issue
2010-07-13 17:58 dhx Relationship added related to 0011824
2010-07-13 17:58 dhx Relationship added related to 0011825
2010-07-13 17:59 dhx Assigned To => dhx
2010-07-13 17:59 dhx Status new => assigned
2010-07-13 17:59 dhx Note Added: 0026073
2010-07-13 17:59 dhx Target Version => 1.3.0-beta.1
2011-07-08 03:13 atrol Relationship added has duplicate 0013129
2013-04-07 11:19 atrol Relationship added has duplicate 0015724
2013-04-07 11:22 rombert Note Added: 0036534
2013-04-07 11:22 rombert Target Version 1.3.0-beta.1 => 1.2.15
2013-04-09 18:36 dregad Note Added: 0036558
2013-04-10 02:59 rombert Note Added: 0036560
2013-04-12 09:57 dregad Target Version 1.2.15 => 1.2.16
2013-04-27 18:26 atrol Note Added: 0036699
2013-04-27 18:26 atrol Assigned To dhx =>
2013-04-27 18:26 atrol Status assigned => acknowledged
2014-01-23 17:54 atrol Target Version 1.2.16 =>