Fix #11826: All inline JavaScript now removed

The MantisBT code base is now free of inline JavaScript code. We can therefore tighten Content-Security-Policy settings to disallow execution of any inline JavaScript. This is a major security milestone for browsers supporting Content-Security-Policy (currently Firefox 4). In the event of a XSS bug anywhere within MantisBT, JavaScript code can no longer be executed as part of an XSS exploit. Firefox 4 users are therefore exposed to much less risk - so much so that any future MantisBT XSS vulnerabilities will likely be a non-issue.
mantisbt · Dec 26, 2010 · 2a1eed9 · 2a1eed9
1 parent 4b0e0d5
commit 2a1eed9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/http_api.php b/core/http_api.php
@@ -141,7 +141,7 @@ function http_security_headers() {
 				$t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
 			}
 		}
-		header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'none'" );
+		header( "X-Content-Security-Policy: allow 'self';$t_avatar_img_allow; frame-ancestors 'none'" );
 	}
 }