[Xymon] "sandboxed" errors in 4.3.27

Japheth Cleaver cleaver at terabithia.org
Thu Jan 12 19:12:20 CET 2017


On 1/12/2017 9:34 AM, Andrey Chervonets wrote:
> We have recently upgraded our monitoring server from 4.3.17 to 4.3.27 
>  and now getting " is sandboxed, and the 'allow-scripts' keyword is 
> not set." errors in modern Chrome
> for svcstatus.sh pages
>
> Let me explain:
> Some our custom tests may generate large content with detailed 
> technical information, which is not always required to show on web-page.
> monitoring test generate HTML content with DIV having style='display: 
> none'
>
> HTML content also contains <A HREF> element with java script function 
> call to show DIV content on click (or hide on click again)
> Appropriate java script function is placed in page header  - it was 
> placed in HEAD element - in
> ./server/web/hostsvc_header
> ./server/web/histlog_header
>
> so generated header is the following:
> ==============
> <HEAD>
> <META HTTP-EQUIV="REFRESH" CONTENT="60">
> <META HTTP-EQUIV="EXPIRES" CONTENT="Sat, 01 Jan 2001 00:00:00 GMT">
> <META HTTP-EQUIV="Set-Cookie" CONTENT="pagepath=; path=/">
> <META HTTP-EQUIV="Set-Cookie" CONTENT="host=target-hostname; path=/">
> <TITLE>yellow : Xymon - dbinvobj status forhost=target-hostname 
> (10.*.*.*) @ Thu Jan 12 19:07:47 2017</TITLE>
>
> <!-- Styles for the Xymon body  -->
> <link rel="stylesheet" type="text/css" href="/xymon/gifs/xymonbody.css">
>
> <!-- Styles for the menu bar -->
> <link rel="stylesheet" type="text/css" 
> href="/xymon/menu/xymonmenu-blue.css">
>
> <!-- The favicon image -->
> <link rel="shortcut icon" href="/xymon/gifs/favicon-yellow.ico">
>
> <!-- CoMinder customisation -->
> <script language="JavaScript1.2" type="text/javascript">
> function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) {
>         var div_element = document.getElementById(p_DivName);
>         var text = document.getElementById(p_LinkName);
> if(div_element.style.display == "block") {
>     div_element.style.display = "none";
>     text.innerHTML = p_showCaption;
>         }
>         else {
>     div_element.style.display = "block";
>     text.innerHTML = p_HideCaption;
>         }
> }
> </script>
> <!-- end of CoMinder customisation -->
>
> </HEAD>
> ==============
>
>
> It was working fine in 4.3.17 (really we still have one monitoring 
> server of that version and it is working)
> In 4.3.27 - we get the following errors in latest Chrome  and our java 
> script function is not working (nothing happens)
>
>
> 1)
> Refused to execute the redirect specified via '<meta 
> http-equiv='refresh' content='...'>'. The document is sandboxed, and 
> the 'allow-scripts' keyword is not set.
>
> 2)
> Blocked script execution in 
> 'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=target-hostname&SERVICE=custmetric'because 
> the document's frame is sandboxed and the 'allow-scripts' permission 
> is not set.
>
>
> Note: old Opera (before Chromium), old (2013) Chrome and more or less 
> modern FireFox ESR does not have such problem.
>
>
> I have found similar thread for  [Xymon] 4.3.25 - ouch (reverting to 
> 4.3.22), but not identical and it looks like final solution was not 
> found.
> http://lists.xymon.com/archive/2016-February/043013.html
>
> I have compared pages sources from XyMon  4.3.17  and  4.3.27  for the 
> same content.
> and the difference is only 1 line, which IMHO should not affect - 1 
> menu item added in 4.3.27:
> <a class="inner" 
> href="/xymon-cgi/acknowledgements.sh">Acknowledgements</a>
>
> If I save both pages locally as HTML file and open in Chrome - java 
> script function is working and there are no "sandboxed"  errors.

Hi,

Yes, this was part of the anti-XSS/CSP fix that went into 4.3.25. There 
were some initial problems, but I believe we resolved those issues 
completely within 4.3.26.

The headers in question are generated at the CGI layer rather than in 
the templates, which is why you don't see much of a change there.

You can bypass this generation by setting the "XYMON_NOCSPHEADER"= 
variable to something non-empty in xymonserver.cfg on your xymongen 
server. This should only be done on systems you feel comfortable with 
the integrity of the clients of, as it allows arbitrary javascript to be 
returned in status and client messages (cf. 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058)

HTH,
-jc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170112/60cee15f/attachment.html>


More information about the Xymon mailing list