Fix Content-Security-Policy Headers #275
Conversation
|
+1, but didn't someone mention wanting to drop CSP support ? |
|
Given that it helps mitigate XSS, and that we accept a lot of user input to various pages/forms, and that the new version of the header is supported by safari, chrome and firefox. We published a blog post on our blog about how we would support this feature @ http://www.mantisbt.org/blog/?p=126 Not really sure why we would want to drop it... |
|
I don't want to drop it myself actually. I just recalled reading something about it recently - here it is http://www.mantisbt.org/bugs/view.php?id=17491#c41140 |
|
I've added some comments to the discussion on the associated issue. I think since there is a standard version of the header, we should continue to adopt it. However, the question is whether to use the standard version in the browsers that support it, and fallback to non standard versions for ones that don't. See wikipedia article (status section) for the different versions of the header: http://en.wikipedia.org/wiki/Content_Security_Policy Our goal should to maximize the percentage of the pie where this functionality is effective. This will give us higher security and make it easier to find out when we break the functionality. |
|
It's a good idea to have a fallback mechanism, assuming it does not generate too much overhead. |
|
+1 |
Firefox complains when accessing mantis 1.3 about the deprecated headers. X-Content-Security-Policy is replaced by Content Security Policy
Firefox complains when accessing mantis 1.3 about the deprecated headers.
X-Content-Security-Policy is replaced by Content Security Policy