 |
|
 |
Eleven years have passed, and the CSP header “report-uri” has now been declared deprecated; it is proposed that it be replaced with “Content-Security-Policy: report-to” and “Reporting-Endpoints:”. Given the current capabilities of MantisBT, I think a more convenient implementation would be in the form of a plugin with its own database table, such as “mantis_csp_reports_table”. The current PR offer a standard file containing JSON reports in the site folder (!), with no size limit. Report URLs can be sent to the plugin via the REST interface and the This implementation will help administrators respond to XSS attacks (or false positives), maintainers debug MantisBT code, and plugin authors who frequently add links to external resources. |
 |
The original PR was a bit of a hack, which is the reason I never merged it. Indeed the proposed plugin approach seems more appropriate. @raspopov are you planning to create such a plugin ? |
|
|
@dregad The company I work for uses an isolated local MantisBT instance and CSP isn't relevant in that case, so I didn't initially require this functionality. However, while working on recent pull requests (PRs) related to script and style isolation, I encountered 'invalid' requests blocked by CSP. A tool like this would undoubtedly make life easier. I’m not yet sure where to place this task on my mental priority list for MantisBT... |
|
|
No worries, I was just checking. Great if you do, and if not then maybe someone else will before another 11 years go by ;-) |
- Anonymous
