[mantisbt-commits] mantisbt.git branch, master-1.2.x, updated. release-1.2.0-47-gd2e05d3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

The branch, master-1.2.x has been updated
       via  d2e05d3ee8952517973c92bce0a8d33ccf8d7b47 (commit)
      from  3cd065de34b9f75e2829f99c5dc2ff5392ede1db (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d2e05d3ee8952517973c92bce0a8d33ccf8d7b47
Author: David Hicks <hic...@op...>
Date:   Thu Apr 22 18:26:26 2010 +1000

    Issue #11825: Support X-Content-Security-Policy (CSP)
    
    Firefox 3.7 supports a new security mechanism called Content Security
    Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking
    attacks.
    
    We can ensure that MantisBT doesn't load any files (images, scripts,
    etc) from external domains by using CSP. The exception to this rule at
    the moment is the use of Gravatar for user avatar support in MantisBT.
    
    CSP also allows us to limit the domains which can include MantisBT
    within an iframe, helping prevent clickjacking attacks. At the moment we
    don't allow MantisBT to be included in any iframes from any domain.
    
    In the future we'll need to create a mechanism for plugins to notify
    MantisBT of other domains that are safe to load external data from.

-----------------------------------------------------------------------

Summary of changes:
 core/http_api.php |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

-----------------------------------------------------------------------

commit d2e05d3ee8952517973c92bce0a8d33ccf8d7b47
Author: David Hicks <hic...@op...>
Date:   Thu Apr 22 18:26:26 2010 +1000

    Issue #11825: Support X-Content-Security-Policy (CSP)
    
    Firefox 3.7 supports a new security mechanism called Content Security
    Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking
    attacks.
    
    We can ensure that MantisBT doesn't load any files (images, scripts,
    etc) from external domains by using CSP. The exception to this rule at
    the moment is the use of Gravatar for user avatar support in MantisBT.
    
    CSP also allows us to limit the domains which can include MantisBT
    within an iframe, helping prevent clickjacking attacks. At the moment we
    don't allow MantisBT to be included in any iframes from any domain.
    
    In the future we'll need to create a mechanism for plugins to notify
    MantisBT of other domains that are safe to load external data from.

diff --git a/core/http_api.php b/core/http_api.php
index 6ce456a..3cfdfc8 100644
--- a/core/http_api.php
+++ b/core/http_api.php
@@ -123,6 +123,15 @@ function http_content_headers() {
 function http_security_headers() {
 	if ( !headers_sent() ) {
 		header( 'X-Frame-Options: DENY' );
+		$t_avatar_img_allow = '';
+		if ( config_get_global( 'show_avatar' ) ) {
+			if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+				$t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80";
+			} else {
+				$t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
+			}
+		}
+		header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'none'" );
 	}
 }
 

-----------------------------------------------------------------------


--
Mantis Bug Tracker


