View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012165 | mantisbt | security | public | 2010-07-13 11:08 | 2014-01-23 17:54 |
Reporter | neilc | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | acknowledged | Resolution | open | ||
Product Version | 1.2.0 | ||||
Summary | 0012165: Allow mantis to be loaded in an iframe | ||||
Description | Currently the mantis security policy does not allow mantis to be loaded inside an iframe (by browsers that support this feature). It would be nice to have a config option to disable this behaviour or to allow particular domains/URLs to load mantis in an iframe. | ||||
Additional Information | For now, editing http_security_headers() in http_api.php is the only way to make this work. | ||||
Tags | No tags attached. | ||||
related to | 0011824 | closed | dhx | Implement X-Frame-Options clickjacking protection |
related to | 0011825 | closed | dhx | Support X-Content-Security-Policy (CSP) |
has duplicate | 0013129 | closed | atrol | firefox 3.5 and later cannot handle mantis put into a frame |
has duplicate | 0015724 | closed | atrol | Allow administrators to customize X-Frame-Options header |
Reference for manually editing http_api.php: http://www.mantisbt.org/blog/?p=102 |
|
Users actually need to do this for valid use cases, see http://stackoverflow.com/questions/15813325/squash-tm-bugtracker-in-frame/15815825 . I think that it's not such a large change and can be targeted to 1.2.x. If you disagree feel free to move back to 1.3.x, as this is not my area of expertise. |
|
I just think that, in light of current discussion on the mailing list, we should probably avoid putting anything new in scope for 1.2.x, at least we reach a decision in a few days (hopefully ;) |
|
I'm not going to push anything to 1.2.x until we have a way to go forward with the next versions. |
|
Removed assignment. dhx will not contribute to this issue in near future. |
|