0021908: Weakened security headers in 2.0.x

ID	Project	Category	View Status	Date Submitted	Last Update
0021908	mantisbt	security	public	2016-11-13 06:45	2026-05-14 07:40

Reporter	atrol	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	confirmed	Resolution	open
Target Version	2.29.0

Summary	0021908: Weakened security headers in 2.0.x
Description	2.0.x comes with http_csp_add( 'style-src', "'unsafe-inline'" ); in http_api.php. We don't allow unsafe-inline styles in 1.3.x.
Tags	csp

yanual 2017-11-06 05:56 reporter ~0058143	Why you don't allow unsafe-inline styles in 1.3.x. ?

atrol 2017-11-06 06:03 developer ~0058144	Why you don't allow unsafe-inline styles in 1.3.x. ? Wrong question, it should be: Why you allow unsafe-inline styles in 2.x? Allowing unsafe-inline styles decreases security. That's why I reported the issue.

dregad 2017-11-06 06:40 developer ~0058147	@yanual I suggested you read https://stackoverflow.com/a/31759553/1045774 for a brief explanation of the potential risks to your site when unsafe-inline styles are allowed.

yanual 2017-11-06 09:11 reporter ~0058148	@atrol your formulation is indeed better. Ok, I will wait patiently for postponement of the treatment of the issue. @degrad i know these risks.

raspopov 2026-05-13 13:54 reporter ~0071102	For no particular reason (0019307), I started looking into CSP in MantisBT and also came to the conclusion that the call `http_csp_add( ‘style-src’, “‘unsafe-inline’” );` should be removed from http_api.php. To do this correctly, all uses of the `style` attribute must first be removed from all HTML within MantisBT. But even without considering CSP, switching from inline `style` attributes to external `class` selectors is a more versatile approach to web design, offering improved maintainability and code structure, and better performance. PR (draft): https://github.com/mantisbt/mantisbt/pull/2219

related to	0021916	new		CSP violation issues
has duplicate	0032932	closed	dregad	Insecure Content-Security-Policy (CSP)