Mahara

  1. Bug #1734767
  2. Activity log

Activity log for bug #1734767

Date Who What changed Old value New value Message
2017-11-27 21:10:16 Robert Lyon bug added bug
2017-12-06 23:01:50 Kristina Hoeppner summary Mahara needing the Content Security Policy (CSP) to define what is/isn't allowed Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https
2017-12-06 23:02:10 Kristina Hoeppner description Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. For implementing this we will need to allow the setting of the value to be editable by site admin as some sites may need to be more relaxed than others. A good tool for working out what is needed is https://report-uri.com/home/generate There are 'report' options that will allow an admin to get info on what things are violating the policy to help fine tune what settings are needed. If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site. The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
2017-12-06 23:02:31 Kristina Hoeppner mahara: status Confirmed In Progress
2017-12-06 23:03:16 Kristina Hoeppner nominated for series mahara/17.10
2017-12-06 23:03:16 Kristina Hoeppner bug task added mahara/17.10
2017-12-06 23:03:16 Kristina Hoeppner nominated for series mahara/18.04
2017-12-06 23:03:16 Kristina Hoeppner bug task added mahara/18.04
2017-12-06 23:03:16 Kristina Hoeppner nominated for series mahara/16.10
2017-12-06 23:03:16 Kristina Hoeppner bug task added mahara/16.10
2017-12-06 23:03:16 Kristina Hoeppner nominated for series mahara/17.04
2017-12-06 23:03:16 Kristina Hoeppner bug task added mahara/17.04
2017-12-06 23:03:22 Kristina Hoeppner mahara/16.10: status New Confirmed
2017-12-06 23:03:24 Kristina Hoeppner mahara/17.04: status New Confirmed
2017-12-06 23:03:26 Kristina Hoeppner mahara/17.10: status New Confirmed
2017-12-06 23:03:28 Kristina Hoeppner mahara/16.10: importance Undecided High
2017-12-06 23:03:29 Kristina Hoeppner mahara/17.04: importance Undecided High
2017-12-06 23:03:31 Kristina Hoeppner mahara/17.10: importance Undecided High
2017-12-06 23:03:34 Kristina Hoeppner mahara/16.10: milestone 16.10.7
2017-12-06 23:03:38 Kristina Hoeppner mahara/17.04: milestone 17.04.5
2017-12-06 23:03:40 Kristina Hoeppner mahara/17.10: milestone 17.10.1
2017-12-14 00:43:33 Robert Lyon mahara/17.10: milestone 17.10.1 17.10.2
2018-01-16 20:14:30 Robert Lyon mahara/18.04: status In Progress Fix Committed
2018-01-16 20:46:23 Robert Lyon mahara/17.10: status Confirmed Fix Committed
2018-01-16 20:46:25 Robert Lyon mahara/17.04: status Confirmed Fix Committed
2018-01-16 20:46:27 Robert Lyon mahara/16.10: status Confirmed Fix Committed
2018-01-16 22:09:42 Robert Lyon information type Private Security Public Security
2018-01-16 22:09:45 Robert Lyon mahara/16.10: status Fix Committed Fix Released
2018-01-16 22:37:14 Cecilia Vela Gurovic mahara/17.04: status Fix Committed Fix Released
2018-01-17 00:44:36 Cecilia Vela Gurovic mahara/17.10: status Fix Committed Fix Released
2018-01-17 08:04:24 Kristina Hoeppner cve linked 2017-17455
2018-04-05 22:01:01 Robert Lyon mahara/18.04: status Fix Committed Fix Released