Recent Mantis versions (I'm using 1.2.4) send the HTTP header "X-Frame-Options: DENY" which causes the iframe embedding in Drupal to not work (Mantis does not show). Editing the core/http_api.php and either commenting out this line:
header( 'X-Frame-Options: DENY' );

or changing the DENY to SAMEORIGIN (if mantis is on the same domain as the drupal site), will fix it.

Comments

daften’s picture

Thanks for the report, we'll see if we can find a workaround for this.

nico.mollet’s picture

Actually, 2 parts of Mantis need to be changed (see blog post : http://www.mantisbt.org/blog/?p=102)

*******

If you want to insert your MantisBT installation within an IFrame from a page on the same domain (for instance, bugs.yourname.com contains an IFrame which loads bugs.yourname.com/mantisbt/) then you will need to change the http_security_headers() function as follows:

Find:

<?php
header
( 'X-Frame-Options: DENY' );
?>

Replace:

<?php
header
( 'X-Frame-Options: SAMEORIGIN' );
?>

Find:

<?php
header
( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'none'" );
?>

Replace:

<?php
header
( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'self'" );
?>

If you’re wanting to load your MantisBT installation in an IFrame from a different domain then you’ll need to comment out (place two forward slashes in front of) this line:

<?php
header
( 'X-Frame-Options: DENY' );
?>

You’ll then also need to make the following change where somewhere.yourdomain.com is the domain containing the page which loads MantisBT within an IFrame:

<?php
header
( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors somewhere.yourdomain.com " );
?>