View Issue Details

IDProjectCategoryView StatusLast Update
0026093mantisbtplug-inspublic2019-12-09 04:32
Reporterkuz30 Assigned Todregad  
Status closedResolutionfixed 
Product Version2.21.1 
Target Version2.23.0Fixed in Version2.23.0 
Summary0026093: Content Security Policy directive 'frame-ancestors' contains an invalid source when http_csp_add is called for it

Mantis 2.21.1 with latest BBCodePlus generates Google Chrome console error

The source list for Content Security Policy directive 'frame-ancestors' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.

due to response header:
content-security-policy: ... frame-ancestors 'self' 'none'; ...

Steps To Reproduce

Call http_csp_add( 'frame-ancestors', "'self'" ); in your plugin code

Additional Information

@atrol suggests:
The solution might be to introduce a special treatment in function http_csp_add if $p_type is frame-ancestors. In this case and If none is set, unset none.

TagsNo tags attached.




2019-08-28 19:48

developer   ~0062679

Proposed fix in PR



2019-08-28 19:50

developer   ~0062680

I did not check this, but was this issue really introduced in 2.21.1 (I doubt it), or was it present before and if so since when ?



2019-08-29 02:19

reporter   ~0062683

this issue is from very beggining of http_csp_add in core/http_api.php, expecting to reproduce in 1.3.*
reliably checked it only in 2.21.1

Related Changesets

MantisBT: master 2d2f6f7b

2019-08-28 15:46


Details Diff
Drop CSP frame-ancestor: 'none' if other sources exist

If both 'none' and other values (e.g. 'self') are defined for the
frame-ancestor CSP directive, http_csp_value() now drops 'none', which
is the default set by MantisBT core, and can only exist by itself.

Fixes 0026093
Affected Issues
mod - core/http_api.php Diff File