Mantis Bug Tracker - Forums


https://mantisbt.org/forums/

custom X-Content-Security-Policy

https://mantisbt.org/forums/viewtopic.php?t=21136

Page 1 of 1

custom X-Content-Security-Policy

Posted: 01 Feb 2013, 17:47
by jeckyll
Hello

i wrote a little plug-in that basically replace <latex>some fomula</latex> in multi-text field by an image generated with MathTex

The resulting img tag looks like <img src="http://<mathtex_server_url>/mathtex.cgi?some formula" />

it works pretty well on IE but not on Firefox because of the "X-Content-Security-Policy"

The solution I found is to modify http_security_headers() in http_api (replacing "allow 'self'" by "allow 'self' <mathtex_server_url>")

May it be possible to do this in a less "hacky" way ?

Regards

Re: custom X-Content-Security-Policy

Posted: 02 Feb 2013, 01:31
by jeckyll
I'm moving from MathTex to MathJax but I think that my question is still relevant since I must allow remote js scripts (from MathJax Contents Delivery Network) to execute on my server

Re: custom X-Content-Security-Policy

Posted: 14 Dec 2023, 11:00
by systemmind
Hello. Could you provide your plugin please? I would want to get such functionality and maybe we would check how this issue reproduced now.

Re: custom X-Content-Security-Policy

Posted: 20 Dec 2023, 11:13
by dregad
Have a look at how it's done in the MantisGraph core plugin
  • Declare event in hooks()

    Code: Select all

    'EVENT_CORE_HEADERS' => 'csp_headers',
  • Add CSP header

    Code: Select all

    	function csp_headers() {
		if( config_get_global( 'cdn_enabled' ) == ON ) {
			http_csp_add( 'script-src', self::CHARTJS_CDN );
		}
	}
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited