From: <gi...@ma...> - 2010-04-22 08:33:21
|
The branch, master-1.2.x has been updated via d2e05d3ee8952517973c92bce0a8d33ccf8d7b47 (commit) from 3cd065de34b9f75e2829f99c5dc2ff5392ede1db (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit d2e05d3ee8952517973c92bce0a8d33ccf8d7b47 Author: David Hicks <hic...@op...> Date: Thu Apr 22 18:26:26 2010 +1000 Issue #11825: Support X-Content-Security-Policy (CSP) Firefox 3.7 supports a new security mechanism called Content Security Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking attacks. We can ensure that MantisBT doesn't load any files (images, scripts, etc) from external domains by using CSP. The exception to this rule at the moment is the use of Gravatar for user avatar support in MantisBT. CSP also allows us to limit the domains which can include MantisBT within an iframe, helping prevent clickjacking attacks. At the moment we don't allow MantisBT to be included in any iframes from any domain. In the future we'll need to create a mechanism for plugins to notify MantisBT of other domains that are safe to load external data from. ----------------------------------------------------------------------- Summary of changes: core/http_api.php | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) ----------------------------------------------------------------------- commit d2e05d3ee8952517973c92bce0a8d33ccf8d7b47 Author: David Hicks <hic...@op...> Date: Thu Apr 22 18:26:26 2010 +1000 Issue #11825: Support X-Content-Security-Policy (CSP) Firefox 3.7 supports a new security mechanism called Content Security Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking attacks. We can ensure that MantisBT doesn't load any files (images, scripts, etc) from external domains by using CSP. The exception to this rule at the moment is the use of Gravatar for user avatar support in MantisBT. CSP also allows us to limit the domains which can include MantisBT within an iframe, helping prevent clickjacking attacks. At the moment we don't allow MantisBT to be included in any iframes from any domain. In the future we'll need to create a mechanism for plugins to notify MantisBT of other domains that are safe to load external data from. diff --git a/core/http_api.php b/core/http_api.php index 6ce456a..3cfdfc8 100644 --- a/core/http_api.php +++ b/core/http_api.php @@ -123,6 +123,15 @@ function http_content_headers() { function http_security_headers() { if ( !headers_sent() ) { header( 'X-Frame-Options: DENY' ); + $t_avatar_img_allow = ''; + if ( config_get_global( 'show_avatar' ) ) { + if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { + $t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80"; + } else { + $t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443"; + } + } + header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'none'" ); } } ----------------------------------------------------------------------- -- Mantis Bug Tracker |