Issue #11825: Support X-Content-Security-Policy (CSP)

Firefox 3.7 supports a new security mechanism called Content Security
Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking
attacks.

We can ensure that MantisBT doesn't load any files (images, scripts,
etc) from external domains by using CSP. The exception to this rule at
the moment is the use of Gravatar for user avatar support in MantisBT.

CSP also allows us to limit the domains which can include MantisBT
within an iframe, helping prevent clickjacking attacks. At the moment we
don't allow MantisBT to be included in any iframes from any domain.

In the future we'll need to create a mechanism for plugins to notify
MantisBT of other domains that are safe to load external data from.

core/http_api.php

@@ -123,6 +123,15 @@ function http_content_headers() {
 function http_security_headers() {
 	if ( !headers_sent() ) {
 		header( 'X-Frame-Options: DENY' );
+		$t_avatar_img_allow = '';
+		if ( config_get_global( 'show_avatar' ) ) {
+			if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+				$t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80";
+			} else {
+				$t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
+			}
+		}
+		header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'none'" );
 	}
 }