Doing more testing with CRM 2011 Rollup 12, I found out that Chrome was self closing when I logged into CRM. This is very annoying, but having worked with CRM before in IE, I knew what this was. By chance I was able to verify it by going to the CRM url and changing the last part of the url to /main.aspx. I got a notification that a popup was blocked. Sure enough, after I added the crm address to the popup blocker exception list, no more self closing windows.
Update 2/14/13: Also should note that this affects Safari as well. Popupblocker’s cause quite a problem with CRM and there is no notification what it is about to do. I find the fact that CRM needs to launch into its own window a pain. I personally have it in a pinned tab in Chrome. I don’t worry about it and when I need CRM its there and not on some other obscure window.
While testing out CRM 2011 Rollup 12, I noticed that I could not get it to log me in for Chrome. After checking my security log and resetting Chrome back to defaults, it still didn’t shed any light onto why this was happening.
After much searching, I happen to find the article explaining this. http://support.microsoft.com/kb/2709891/en-us?sd=rss&spid=15707
While this requires a registry edit and supposedly opens up a man in the middle attack, it does indeed fix it. Hopefully a proper fix comes out in the near future to resolve this properly. In the mean time this works well.
Content Security Policy is a relativity new header being promoted. Browsers such as Firefox 4 will make use of this. Considering the benefits it and X-Frame-Options headers offer. It is almost stupid to not look into this.
These new headers try to do one thing and that is prevent some of the common security issues (Clickjacking, XSS, and data injection).
However, google ads require some setup. You have to allow it on multiple src. From my tests, this includes the allow and script-src twice (two domains).
Mantis has already implanted this in their source code. Due to how limiting what they implanted is, it breaks a lot of integrations. SimpleMachines.org uses mantis as its bug tracking software. CSP also happen to of broken everything from working correctly in FireFox4.
So after some testing with FireFox4 and reading the CSP information. I came up with the following header (which you can view if you have the proper tools installed and visit Mantis on SimpleMachines.org).
header( "X-Content-Security-Policy: allow 'self' http://pagead2.googlesyndication.com; options inline-script eval-script; img-src 'self' *; script-src 'self' http://*.simplemachines.org http://pagead2.googlesyndication.com http://googleads.g.doubleclick.net; style-src 'self' http://*.simplemachines.org; frame-ancestors 'none'" );
Note that image-src is set to self and *. The wildcard allows us to load in remote images. Although this lowers security, there is no other simple way to do this with remote avatars. The header gets nasty in length and I personally start to worry about all headers being able to be transmitted in one packet in some setups where the header is even longer. But this is the price you pay for security.