Activity log for bug #1734767
Date | Who | What changed | Old value | New value | Message |
---|---|---|---|---|---|
2017-11-27 21:10:16 | Robert Lyon | bug | added bug | ||
2017-12-06 23:01:50 | Kristina Hoeppner | summary | Mahara needing the Content Security Policy (CSP) to define what is/isn't allowed | Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https | |
2017-12-06 23:02:10 | Kristina Hoeppner | description | Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. For implementing this we will need to allow the setting of the value to be editable by site admin as some sites may need to be more relaxed than others. A good tool for working out what is needed is https://report-uri.com/home/generate There are 'report' options that will allow an admin to get info on what things are violating the policy to help fine tune what settings are needed. | If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site. The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. | |
2017-12-06 23:02:31 | Kristina Hoeppner | mahara: status | Confirmed | In Progress | |
2017-12-06 23:03:16 | Kristina Hoeppner | nominated for series | mahara/17.10 | ||
2017-12-06 23:03:16 | Kristina Hoeppner | bug task added | mahara/17.10 | ||
2017-12-06 23:03:16 | Kristina Hoeppner | nominated for series | mahara/18.04 | ||
2017-12-06 23:03:16 | Kristina Hoeppner | bug task added | mahara/18.04 | ||
2017-12-06 23:03:16 | Kristina Hoeppner | nominated for series | mahara/16.10 | ||
2017-12-06 23:03:16 | Kristina Hoeppner | bug task added | mahara/16.10 | ||
2017-12-06 23:03:16 | Kristina Hoeppner | nominated for series | mahara/17.04 | ||
2017-12-06 23:03:16 | Kristina Hoeppner | bug task added | mahara/17.04 | ||
2017-12-06 23:03:22 | Kristina Hoeppner | mahara/16.10: status | New | Confirmed | |
2017-12-06 23:03:24 | Kristina Hoeppner | mahara/17.04: status | New | Confirmed | |
2017-12-06 23:03:26 | Kristina Hoeppner | mahara/17.10: status | New | Confirmed | |
2017-12-06 23:03:28 | Kristina Hoeppner | mahara/16.10: importance | Undecided | High | |
2017-12-06 23:03:29 | Kristina Hoeppner | mahara/17.04: importance | Undecided | High | |
2017-12-06 23:03:31 | Kristina Hoeppner | mahara/17.10: importance | Undecided | High | |
2017-12-06 23:03:34 | Kristina Hoeppner | mahara/16.10: milestone | 16.10.7 | ||
2017-12-06 23:03:38 | Kristina Hoeppner | mahara/17.04: milestone | 17.04.5 | ||
2017-12-06 23:03:40 | Kristina Hoeppner | mahara/17.10: milestone | 17.10.1 | ||
2017-12-14 00:43:33 | Robert Lyon | mahara/17.10: milestone | 17.10.1 | 17.10.2 | |
2018-01-16 20:14:30 | Robert Lyon | mahara/18.04: status | In Progress | Fix Committed | |
2018-01-16 20:46:23 | Robert Lyon | mahara/17.10: status | Confirmed | Fix Committed | |
2018-01-16 20:46:25 | Robert Lyon | mahara/17.04: status | Confirmed | Fix Committed | |
2018-01-16 20:46:27 | Robert Lyon | mahara/16.10: status | Confirmed | Fix Committed | |
2018-01-16 22:09:42 | Robert Lyon | information type | Private Security | Public Security | |
2018-01-16 22:09:45 | Robert Lyon | mahara/16.10: status | Fix Committed | Fix Released | |
2018-01-16 22:37:14 | Cecilia Vela Gurovic | mahara/17.04: status | Fix Committed | Fix Released | |
2018-01-17 00:44:36 | Cecilia Vela Gurovic | mahara/17.10: status | Fix Committed | Fix Released | |
2018-01-17 08:04:24 | Kristina Hoeppner | cve linked | 2017-17455 | ||
2018-04-05 22:01:01 | Robert Lyon | mahara/18.04: status | Fix Committed | Fix Released |