From: David Hicks <hickseydr@op...> - 2010-04-22 08:42:40
I've just committed some changes to MantisBT which help harden MantisBT
against clickjacking, XSS and CSRF attacks.
For some background information on clickjacking (including an example
referring to Bugzilla) have a read of these slides from a talk by Paul
Stone at Black Hat EU 2010:
Firstly we have X-FRAME-OPTIONS: DENY which prevents other sites loading
MantisBT inside an iframe. This is an IE8 feature that is starting to
see support in other web browsers.
I've also added a loose X-Content-Security-Policy implementation that
prevents files from other domains from being included. This is an
upcoming feature of Firefox 3.7. CSP also duplicates the effect of
X-FRAME-OPTIONS (with a more advanced implementation) in that one can
specify allowed frame ancestors.
Documentation of CSP can be found here:
HTML generated by MantisBT. Thus the CSP support I've added to MantisBT
of the eval() function so I've set the CSP support to allow use of this
function. This shouldn't be as much of an issue if we're blocking inline
our reliance on eval() in much the same way that MantisBT avoids PHP's
If anyone is using an experimental browser that implements any of these
features, please give the latest MantisBT changes a test. Let me know if
there are any problems you discover.