[Xymon] "sandboxed" errors in 4.3.27

Andrey Chervonets A.Chervonets at cominder.eu
Thu Jan 12 22:49:13 CET 2017 

Thank You!

Setting the XYMON_NOCSPHEADER - fixed the trouble.

In this case the clients are relatively safe. 


Best regards,

Andrey Chervonets
----------------------
SIA CoMinder
http://www.cominder.eu/





From:   Japheth Cleaver <cleaver at terabithia.org>
To:     Andrey Chervonets <A.Chervonets at cominder.eu>, xymon at xymon.com
Date:   12.01.2017 20:12
Subject:        Re: [Xymon] "sandboxed" errors in 4.3.27



On 1/12/2017 9:34 AM, Andrey Chervonets wrote:
We have recently upgraded our monitoring server from 4.3.17 to 4.3.27  and 
now getting " is sandboxed, and the 'allow-scripts' keyword is not set." 
errors in modern Chrome 
for svcstatus.sh pages 

Let me explain: 
Some our custom tests may generate large content with detailed technical 
information, which is not always required to show on web-page. 
monitoring test generate HTML content with DIV having  style='display: 
none' 

HTML content also contains <A HREF> element with java script function call 
to show DIV content on click (or hide on click again) 
Appropriate java script function is placed in page header  - it was placed 
in HEAD element - in 
./server/web/hostsvc_header 
./server/web/histlog_header 

so generated header is the following: 
============== 
<HEAD> 
<META HTTP-EQUIV="REFRESH" CONTENT="60"> 
<META HTTP-EQUIV="EXPIRES" CONTENT="Sat, 01 Jan 2001 00:00:00 GMT"> 
<META HTTP-EQUIV="Set-Cookie" CONTENT="pagepath=; path=/"> 
<META HTTP-EQUIV="Set-Cookie" CONTENT="host=target-hostname; path=/"> 
<TITLE>yellow : Xymon - dbinvobj status forhost=target-hostname (10.*.*.*) 
@ Thu Jan 12 19:07:47 2017</TITLE> 

<!-- Styles for the Xymon body  --> 
<link rel="stylesheet" type="text/css" href="/xymon/gifs/xymonbody.css"> 

<!-- Styles for the menu bar --> 
<link rel="stylesheet" type="text/css" 
href="/xymon/menu/xymonmenu-blue.css"> 

<!-- The favicon image --> 
<link rel="shortcut icon" href="/xymon/gifs/favicon-yellow.ico"> 

<!-- CoMinder customisation --> 
<script language="JavaScript1.2" type="text/javascript"> 
function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) { 
        var div_element = document.getElementById(p_DivName); 
        var text = document.getElementById(p_LinkName); 
        if(div_element.style.display == "block") { 
    div_element.style.display = "none"; 
                text.innerHTML = p_showCaption; 
        } 
        else { 
                div_element.style.display = "block"; 
                text.innerHTML = p_HideCaption; 
        } 
} 
</script> 
<!-- end of CoMinder customisation --> 

</HEAD> 
============== 


It was working fine in 4.3.17 (really we still have one monitoring server 
of that version and it is working) 
In 4.3.27 - we get the following errors in latest Chrome  and our java 
script function is not working (nothing happens) 


1) 
Refused to execute the redirect specified via '<meta http-equiv='refresh' 
content='...'>'. The document is sandboxed, and the 'allow-scripts' 
keyword is not set. 

2) 
Blocked script execution in 
'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=target-hostname&SERVICE=custmetric'because 
the document's frame is sandboxed and the 'allow-scripts' permission is 
not set. 


Note: old Opera (before Chromium), old (2013) Chrome and more or less 
modern FireFox ESR does not have such problem. 


I have found similar thread for  [Xymon] 4.3.25 - ouch (reverting to 
4.3.22), but not identical and it looks like final solution was not found. 

http://lists.xymon.com/archive/2016-February/043013.html 

I have compared pages sources from XyMon  4.3.17  and  4.3.27  for the 
same content. 
and the difference is only 1 line, which IMHO should not affect - 1 menu 
item added in 4.3.27: 
<a class="inner" 
href="/xymon-cgi/acknowledgements.sh">Acknowledgements</a> 

If I save both pages locally as HTML file and open in Chrome - java script 
function is working and there are no "sandboxed"  errors. 

Hi,

Yes, this was part of the anti-XSS/CSP fix that went into 4.3.25. There 
were some initial problems, but I believe we resolved those issues 
completely within 4.3.26.

The headers in question are generated at the CGI layer rather than in the 
templates, which is why you don't see much of a change there. 

You can bypass this generation by setting the "XYMON_NOCSPHEADER"= 
variable to something non-empty in xymonserver.cfg on your xymongen 
server. This should only be done on systems you feel comfortable with the 
integrity of the clients of, as it allows arbitrary javascript to be 
returned in status and client messages (cf. 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058)

HTH,
-jc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170112/e0cecb6c/attachment.html>

More information about the Xymon mailing list