0036864: Proposal for implementing deferred HTTP headers - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0036864	mantisbt	other	public	2026-02-04 11:19	2026-03-07 13:19

Reporter	raspopov	Assigned To	community
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	2.28.0
Target Version	2.29.0	Fixed in Version	2.29.0

Summary	0036864: Proposal for implementing deferred HTTP headers
Description	Currently, MantisBT outputs HTTP headers directly during `core.php` initialization, which prevents the use of the `http_csp_add()` function to modify Content Security Policy (CSP) headers on specific pages. This leads to the unnecessary aggregation of these headers in the one common `http_security_headers()` function and increases the attack surface for potential vulnerabilities. Delaying the output of the headers until immediately before the page content is output allows for the flexible selection of the styles and scripts that will load for a specific page. Most of these external resources require a specific CSP header. These changes will enable us to remove scripts, such as `dropzone.js` and `bootstrap-datetimepicker.js`, from all pages and retain them only on pages that use these scripts.
Tags	No tags attached.

raspopov 2026-02-04 11:40 reporter ~0070763 Last edited: 2026-02-06 09:17	PR: https://github.com/mantisbt/mantisbt/pull/2178 Example usage for Viz.js File `graphviz_api.php`: ... require_api( 'utility_api.php' ); # Viz.js WebAssembly CSP headers http_csp_add( 'script-src', "'wasm-unsafe-eval'" ); http_csp_emit_header(); # Include Viz.js if( config_get_global( 'cdn_enabled' ) == ON ) { require_js( [ 'src' => 'https://cdn.jsdelivr.net/npm/@viz-js/viz@' . VIZJS_VERSION . '/dist/viz-global.min.js', 'integrity' => VIZJS_HASH ] ); } else { require_js( [ 'src' => helper_mantis_url( 'js/viz-global.min.js' ), 'integrity' => VIZJS_HASH ] ); } /** * Base class for graph creation and manipulation. * * Generates undirected graphs are generated. * For directed graphs, use {@see Digraph} class. */ class Graph { ... ~~File `manage_config_workflow_graph_page.php`:~~ `... define( 'MANTIS_DEFERRED_HEADERS', true ); require_once( 'core.php' ); require_api( 'graphviz_api.php' ); ...` ~~Why isn't `MANTIS_DEFERRED_HEADERS` enabled by default for all pages? In MantisBT, a dozen pages silently assume that loading `core.php` causes headers to be output. That's not counting plugins.~~

dregad 2026-02-05 02:57 developer ~0070765 Last edited: 2026-02-05 05:24	@raspopov Great minds think alike... This is the review comment for the http_csp_add() call in PR 2175 I drafted yesterday but forgot to send... To minimize the exposure and potential security risk, don't you think we should only allow this for the few pages where GraphViz is actually used and not for every single MantisBT script ? I realize this may not be as easy as it seems to implement, since http_all_headers() is called from core.

raspopov 2026-02-06 09:21 reporter ~0070772	I reworked the PR and managed to avoid adding global constants. Now, PHP can handle all the header work. The main thing is to make sure that CSP headers can be overwritten.

raspopov 2026-02-09 13:49 reporter ~0070782	The PR was split into two parts. This one introduces convenient work with CSP headers, and the second one improves the `require_js()` and `require_css()` functions: 0036874.