0034589: CSP img-src has a duplicate 'self' value

ID	Project	Category	View Status	Date Submitted	Last Update
0034589	mantisbt	code cleanup	public	2024-08-20 19:08	2024-08-25 04:31

Reporter	ThecaTTony	Assigned To	dregad
Priority	low	Severity	trivial	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.20.0
Target Version	2.26.3	Fixed in Version	2.26.3

Summary	0034589: CSP img-src has a duplicate 'self' value
Description	Hi, I was checking the security headers via https://securityheaders.com and I see that img-src lists 'self' twice: img-src 'self' 'self' data:; The file mantisbt/core/http_api.php has this two lines: 229 http_csp_add( 'img-src', "'self'" ); 230 http_csp_add( 'img-src', "'self' data:" ); I commented line 229 and tested it again on the site and it successfully validated the CSP header. I think it is safe to remove that line from the code.
Tags	No tags attached.

dregad 2024-08-21 09:15 developer ~0069118	The duplicated `'self'` does not really hurt, but you're right it should not be there. Problem was introduced when line 230 was added (see 0025465 for details). I believe that the correct fix is to remove `'self'` from line 230, and just add `data:`: `http_csp_add( 'img-src', "'self'" ); - http_csp_add( 'img-src', "'self' data:" ); + http_csp_add( 'img-src', "data:" );` This requires testing to ensure that Dropzone preview still works after the change.

ThecaTTony 2024-08-21 13:24 reporter ~0069119	I made the suggested changes on the instance I manage and the dropzone works without problems. image.png (23,770 bytes) image.png (23,770 bytes)

dregad 2024-08-21 18:24 developer ~0069120	Yep I ran the same test too. Thanks for the feedback.

MantisBT: master-2.26 3e3e7be4 2024-08-21 11:22 dregad Details Diff	CSP: remove duplicate 'self' entry in img-src Fixes 0034589		Affected Issues 0034589
	mod - core/http_api.php		Diff File