View Issue Details

IDProjectCategoryView StatusLast Update
0021908mantisbtsecuritypublic2023-10-31 16:36
Reporteratrol Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionopen 
Target Version2.27.0 
Summary0021908: Weakened security headers in 2.0.x
Description

2.0.x comes with http_csp_add( 'style-src', "'unsafe-inline'" ); in http_api.php.
We don't allow unsafe-inline styles in 1.3.x.

Tagscsp

Relationships

has duplicate 0032932 closeddregad Insecure Content-Security-Policy (CSP) 

Activities

yanual

yanual

2017-11-06 05:56

reporter   ~0058143

Why you don't allow unsafe-inline styles in 1.3.x. ?

atrol

atrol

2017-11-06 06:03

developer   ~0058144

Why you don't allow unsafe-inline styles in 1.3.x. ?

Wrong question, it should be: Why you allow unsafe-inline styles in 2.x?

Allowing unsafe-inline styles decreases security.
That's why I reported the issue.

dregad

dregad

2017-11-06 06:40

developer   ~0058147

@yanual I suggested you read https://stackoverflow.com/a/31759553/1045774 for a brief explanation of the potential risks to your site when unsafe-inline styles are allowed.

yanual

yanual

2017-11-06 09:11

reporter   ~0058148

@atrol your formulation is indeed better.
Ok, I will wait patiently for postponement of the treatment of the issue.
@degrad i know these risks.