Recent Mantis versions (I'm using 1.2.4) send the HTTP header "X-Frame-Options: DENY" which causes the iframe embedding in Drupal to not work (Mantis does not show). Editing the core/http_api.php and either commenting out this line:
header( 'X-Frame-Options: DENY' );

or changing the DENY to SAMEORIGIN (if mantis is on the same domain as the drupal site), will fix it.

Comments

daften’s picture

daften CreditAttribution: daften commented

Thanks for the report, we'll see if we can find a workaround for this.

nico.mollet’s picture

nico.mollet CreditAttribution: nico.mollet commented

Actually, 2 parts of Mantis need to be changed (see blog post : http://www.mantisbt.org/blog/?p=102)

*******

If you want to insert your MantisBT installation within an IFrame from a page on the same domain (for instance, bugs.yourname.com contains an IFrame which loads bugs.yourname.com/mantisbt/) then you will need to change the http_security_headers() function as follows:

Find:

header( 'X-Frame-Options: DENY' );

Replace:

header( 'X-Frame-Options: SAMEORIGIN' );

Find:


header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'none'" );

Replace:

header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'self'" );

If you’re wanting to load your MantisBT installation in an IFrame from a different domain then you’ll need to comment out (place two forward slashes in front of) this line:

header( 'X-Frame-Options: DENY' );

You’ll then also need to make the following change where somewhere.yourdomain.com is the domain containing the page which loads MantisBT within an IFrame:

header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors somewhere.yourdomain.com " );