View Issue Details

IDProjectCategoryView StatusLast Update
0014679mantisbtsecuritypublic2015-07-07 16:48
Reporterdregad Assigned Todregad  
Status closedResolutionfixed 
Product Version1.2.1 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0014679: Support Content-Security-Policy (CSP) per W3C specification

dhx originally implemented CSP following the Mozilla-proposed specification X-Content-Security-Policy [1] in 0011825.

Since then, the proposal has evolved into a W3C standard [2], which is still in DRAFT form but differs in some significant ways from the Mozilla original specification:

  • Standard header: "Content-Security-Policy" (renamed from "X-Content-Security-Policy")
  • "default-src" (instead of "allow")
  • new way of specifying options ('unsafe-inline' and 'unsafe eval')
  • "frame-src" (instead of frame-ancestors)
  • etc

MantisBT headers should be modified adhere to the new standard once it becomes final and is correctly implemented in major browsers (see Additional info below).


Additional Information

With Firefox 15, the new standard is only partially implemented:

  • not yet using standard header
  • options 'unsafe-inline' and 'unsafe eval' do not work
  • still using proprietary equivalent "options inline-script eval-script" (currently implemented in MantisBT)
  • Header has been renamed from "X-Content-Security-Policy" to "Content-Security-Policy"

Adherence to the new standard is a work-in-progress at Mozilla:

TagsNo tags attached.


related to 0011825 closeddhx Support X-Content-Security-Policy (CSP) 
related to 0019307 acknowledged Possibility to report violations of the Content-Security-Policy 




2013-10-17 10:49

developer   ~0038290

Last edited: 2013-10-17 10:53

View 2 revisions

The CSP 1.0 standard has been implemented in Firefox 23 [1] in June 2013; as per the blog post, it is also available in Chrome 25 and IE 10.

I tried to make the change in http api, but unfortunately there seems to be an issue with jQuery, triggering "Content Security Policy: Directive inline script base restriction violated" whenever it is included (tested with 1.9.1 and 1.10.2).

This error is reproducible with a simple test file (tested on FF 24) <pre>
<?php header( "Content-Security-Policy: default-src 'self'" ); ?>
<script type="text/javascript" src="/mantis/javascript/jquery-1.9.1.min.js"></script>
Somebody else reported the same error [2]

Test branch:




2015-04-05 12:44

developer   ~0049324

This was actually implemented by grangeway in september 2014.

Related Changesets

MantisBT: master 91242cdb

2014-08-30 17:23:34

Paul Richards

Details Diff
Fix Content-Security-Policy Headers

Firefox complains when accessing mantis 1.3 about the deprecated headers.

X-Content-Security-Policy is replaced by Content Security Policy
Affected Issues
mod - core/http_api.php Diff File

Issue History

Date Modified Username Field Change
2012-09-03 04:31 dregad New Issue
2012-09-03 04:31 dregad Issue generated from: 0011825
2012-09-03 04:31 dregad Relationship added related to 0011825
2012-09-03 04:31 dregad Status new => confirmed
2012-09-03 04:32 dregad Product Version 1.2.0 => 1.2.1
2013-10-17 10:49 dregad Note Added: 0038290
2013-10-17 10:53 dregad Note Edited: 0038290 View Revisions
2015-04-05 12:42 dregad Relationship added related to 0019307
2015-04-05 12:44 dregad Assigned To => dregad
2015-04-05 12:44 dregad Status confirmed => resolved
2015-04-05 12:44 dregad Resolution open => fixed
2015-04-05 12:44 dregad Fixed in Version => 1.3.0-beta.1
2015-04-05 12:44 dregad Note Added: 0049324
2015-04-05 12:44 dregad Changeset attached => MantisBT master 91242cdb
2015-04-05 12:50 dregad Target Version => 1.3.0-beta.1
2015-07-07 16:48 atrol Status resolved => closed