View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0012165||mantisbt||security||public||2010-07-13 11:08||2014-01-23 17:54|
|Summary||0012165: Allow mantis to be loaded in an iframe|
Currently the mantis security policy does not allow mantis to be loaded inside an iframe (by browsers that support this feature). It would be nice to have a config option to disable this behaviour or to allow particular domains/URLs to load mantis in an iframe.
For now, editing http_security_headers() in http_api.php is the only way to make this work.
|Tags||No tags attached.|
|related to||0011824||closed||dhx||Implement X-Frame-Options clickjacking protection|
|related to||0011825||closed||dhx||Support X-Content-Security-Policy (CSP)|
|has duplicate||0013129||closed||atrol||firefox 3.5 and later cannot handle mantis put into a frame|
|has duplicate||0015724||closed||atrol||Allow administrators to customize X-Frame-Options header|
Reference for manually editing http_api.php: http://www.mantisbt.org/blog/?p=102
Users actually need to do this for valid use cases, see http://stackoverflow.com/questions/15813325/squash-tm-bugtracker-in-frame/15815825 . I think that it's not such a large change and can be targeted to 1.2.x. If you disagree feel free to move back to 1.3.x, as this is not my area of expertise.
I just think that, in light of current discussion on the mailing list, we should probably avoid putting anything new in scope for 1.2.x, at least we reach a decision in a few days (hopefully ;)
I'm not going to push anything to 1.2.x until we have a way to go forward with the next versions.
Removed assignment. dhx will not contribute to this issue in near future.
|2010-07-13 11:08||neilc||New Issue|
|2010-07-13 17:58||dhx||Relationship added||related to 0011824|
|2010-07-13 17:58||dhx||Relationship added||related to 0011825|
|2010-07-13 17:59||dhx||Assigned To||=> dhx|
|2010-07-13 17:59||dhx||Status||new => assigned|
|2010-07-13 17:59||dhx||Note Added: 0026073|
|2010-07-13 17:59||dhx||Target Version||=> 1.3.0-beta.1|
|2011-07-08 03:13||atrol||Relationship added||has duplicate 0013129|
|2013-04-07 11:19||atrol||Relationship added||has duplicate 0015724|
|2013-04-07 11:22||rombert||Note Added: 0036534|
|2013-04-07 11:22||rombert||Target Version||1.3.0-beta.1 => 1.2.15|
|2013-04-09 18:36||dregad||Note Added: 0036558|
|2013-04-10 02:59||rombert||Note Added: 0036560|
|2013-04-12 09:57||dregad||Target Version||1.2.15 => 1.2.16|
|2013-04-27 18:26||atrol||Note Added: 0036699|
|2013-04-27 18:26||atrol||Assigned To||dhx =>|
|2013-04-27 18:26||atrol||Status||assigned => acknowledged|
|2014-01-23 17:54||atrol||Target Version||1.2.16 =>|