Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Issue #11825: Support X-Content-Security-Policy (CSP)
Firefox 3.7 supports a new security mechanism called Content Security Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking attacks. We can ensure that MantisBT doesn't load any files (images, scripts, etc) from external domains by using CSP. The exception to this rule at the moment is the use of Gravatar for user avatar support in MantisBT. CSP also allows us to limit the domains which can include MantisBT within an iframe, helping prevent clickjacking attacks. At the moment we don't allow MantisBT to be included in any iframes from any domain. In the future we'll need to create a mechanism for plugins to notify MantisBT of other domains that are safe to load external data from.
- Loading branch information