View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026093 | mantisbt | plug-ins | public | 2019-08-28 13:22 | 2019-12-09 04:32 |
Reporter | kuz30 | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.21.1 | ||||
Target Version | 2.23.0 | Fixed in Version | 2.23.0 | ||
Summary | 0026093: Content Security Policy directive 'frame-ancestors' contains an invalid source when http_csp_add is called for it | ||||
Description | Mantis 2.21.1 with latest BBCodePlus generates Google Chrome console error
due to response header: | ||||
Steps To Reproduce | Call | ||||
Additional Information | @atrol suggests: | ||||
Tags | No tags attached. | ||||
Proposed fix in PR https://github.com/mantisbt/mantisbt/pull/1554 |
|
I did not check this, but was this issue really introduced in 2.21.1 (I doubt it), or was it present before and if so since when ? |
|
this issue is from very beggining of |
|
MantisBT: master 2d2f6f7b 2019-08-28 15:46 Details Diff |
Drop CSP frame-ancestor: 'none' if other sources exist If both 'none' and other values (e.g. 'self') are defined for the frame-ancestor CSP directive, http_csp_value() now drops 'none', which is the default set by MantisBT core, and can only exist by itself. Fixes 0026093 |
Affected Issues 0026093 |
|
mod - core/http_api.php | Diff File |