Plugin EVENT CORE HEADER CSP issue

Get help from other users here.

Moderators: Developer, Contributor

Post Reply
rkarmann
Posts: 66
Joined: 24 Nov 2017, 10:00
Location: Lille, France

Plugin EVENT CORE HEADER CSP issue

Post by rkarmann »

Hi everyone,

I'm writting a wiki-based plugin for Mantis, and my company ask me to integrate a Rich Text Editor (like tinyMCE, Ckeditor, wysisygblablabla...) so users writting articles would be able to format the content. That's fine, I've decided to use CKeditor v4.8, it is light, OpenSource based and working just fine. The matter is that, by using it in Chrome or Mozilla, the editor doesn't work. It's just stuck.

Looking into DOM elements and the console I found out that it was CSP issues like (in Chrome):
Image

Searching for further information in the developer guide, I saw the section 5.2 :

Event Reference > System Event > EVENT CORE HEADER
This event is triggered by the MantisBT bootstrap process just before emitting the headers. This enables plugins to emit their own headers or use API that enables tweaking values of headers emitted by core. An example, of headers that can be tweaked is Content-Security-Policy header which can be tweaked using http_csp_*() APIs.
So there is my question, how does the http_csp_*() api work ? What type of parameter does it need ? And if possible, tweaks that can resolve my CSP issues ?

Thanks a lot
Currently working on a wiki-based plugin for MantisBT 2.X. If you'd like to test it, contact me or see the plugin section.
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: Plugin EVENT CORE HEADER CSP issue

Post by atrol »

Might be enough to push you in the right direction
https://github.com/mantisbt/mantisbt/bl ... h.php#L103
Please use Search before posting and read the Manual
Starbuck
Posts: 219
Joined: 14 Feb 2006, 02:53
Location: USA
Contact:

Re: Plugin EVENT CORE HEADER CSP issue

Post by Starbuck »

This thread would be better suited for the Plugins forum.
If you want Mantis to work differently, use or create a plugin. Visit the Plugins forums.
Ask developers to create a plugin that you need - and motivate them to help you!
rkarmann
Posts: 66
Joined: 24 Nov 2017, 10:00
Location: Lille, France

Re: Plugin EVENT CORE HEADER CSP issue

Post by rkarmann »

@atrol Thanks for the reply, i'll look deep into it :)

@Starbuck I was not aware that it was now possible to post plugin topics into the Plugin section, thanks. :D

EDIT:

I added the 'http_csp_add' function hooked to the EVENT_CORE_HEADERS event :

Code: Select all

'EVENT_CORE_HEADERS' => 'csp_headers',

Code: Select all

function csp_headers() {

		http_csp_add( 'script-src', 'https://cdnjs.cloudflare.com' );

  }
The first call is working great, 2 of my previous errors disappeared but i'm still stuck with the following:

Image

Any clue or advice ?
Currently working on a wiki-based plugin for MantisBT 2.X. If you'd like to test it, contact me or see the plugin section.
rkarmann
Posts: 66
Joined: 24 Nov 2017, 10:00
Location: Lille, France

Re: Plugin EVENT CORE HEADER CSP issue

Post by rkarmann »

Ok guys,

Problem solved. It was, as usually, syntax errors...

I resolved all the isues by adding :

Code: Select all

function csp_headers() {

    http_csp_add( 'script-src', 'https://cdnjs.cloudflare.com' );
    http_csp_add( 'script-src', "'unsafe-inline'" );

  }
Thanks for your time
Currently working on a wiki-based plugin for MantisBT 2.X. If you'd like to test it, contact me or see the plugin section.
Post Reply