<div dir="ltr"><div><div><div><div class="gmail_extra">I can confirm that the enable/disable
functionality isn't working for me either when done from the info page.
Selecting apply just doesn't do anything (using Firefox). In Chrome, I'm
seeing the same error messages in the Chrome Console that John
describes. I'm using the latest Terabithia RPMs for RHEL 7.<br></div><br><br>I very much disagree with the idea of having to hit F5 every so often to see a refreshed Xymon page, rather then it refreshing automatically.<br><br></div>If I have a Xymon page up on a monitor and then I am working on something else on another monitor, I don't want to have to go over to the browser on the other monitor and hit F5 every so often to refresh the page. I'd much rather it refresh every so often automatically, so then I just have to look over at the monitor every so often to look for any changes.<br><br></div><div>Where exactly are you seeing this refresh change (just curious)?<br></div><div><br></div><div>Why wouldn't you want it to refresh automatically? Isn't the idea to get the most up-to-date info possible?<br><br></div>Personally, it doesn't matter to me whether it's every 60 seconds or every 30 seconds. 60 seconds worked just fine for me before.<br><br></div>Maybe J.C. can elaborate more on why the change in the time interval happened.<br><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks.<br><br></div><div class="gmail_extra"><div><div><div>--</div><div>Matt Vander Werf</div></div></div>
<br><div class="gmail_quote">On Wed, Feb 10, 2016 at 4:23 PM, John Thurston <span dir="ltr"><<a href="mailto:john.thurston@alaska.gov" target="_blank">john.thurston@alaska.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">My testing of the release candidate was obviously inadequate. My phone rang off the hook after shipping 4.3.25 to my production server. I've reverted it to 4.3.22 while I try to get a handle on the changes.<br>
<br>
:: svcstatus refresh ::<br>
<br>
I didn't see any mention of this in the release notes, but the page is now being delivered with a 30-second _header_ refresh in place of a 60-second _meta_ refresh.<br>
<br>
I assume the change in method is related to XSS protection changes, but I don't know for sure. The shortening of the interval concerns me much more than the change in method. I'd prefer the darned page didn't refresh at all, but hard coding it to every half minute? Ouch. Ick. What's the business case here? Anyone who his visually monitoring a single info page can hit F5 when they want a refresh, can't they?<br>
<br>
:: XSS protections ::<br>
<br>
It looks like the XSS protection bits inserted into http headers<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
content-security-policy: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;<br>
X-Content-Security-Policy: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;<br>
X-Webkit-CSP: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;<br>
</blockquote>
<br>
has broken several functions for me. The most important things are the notes our operators use to figure out who to call. We insert some html into the DESCR tag of hosts.cfg. This appears on the "info" page as a link. The links are to static content served by the same Apache web server. The tags are of the form:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
DESCR:"Important Server:<a href=/xymon/CNotes/ImportantServer target=Notes>Reference notes</a>"<br>
</blockquote>
<br>
With Firefox, the links work. With InternetExploder and Chrome, the links quietly fail to work. The Chrome console returns the error message:<br>
Blocked script execution in '<a href="https://foo.bar.com/xymon-" rel="noreferrer" target="_blank">https://foo.bar.com/xymon-</a><br>
cgi/svcstatus.sh?HOST=<a href="http://bb.bar.com" rel="noreferrer" target="_blank">bb.bar.com</a>&SERVICE=info' because<br>
the document's frame is sandboxed and the 'allow-scripts'<br>
permission is not set.<br>
Removing the "target" property from the A tag allows it to work. It overwrites the info page, but at least it works :p It feels like a step back to the 90's be forced into a single page that keeps getting replaced.<br>
<br>
I don't know enough about the "content security policy". What are my options to retain the named-window/tab capabilities?<br>
<br>
:: svcstatus disable function ::<br>
<br>
We are unable to enable/disable test from a host's "info" page. We can do so from enadis.sh, but this is a lot harder for many of our users.<br>
<br>
In Chrome, attempts to disable tests from the "info" page is generating the same "frame is sandboxed" messages.<br>
<br>
In Firefox, the attempts just don't do anything. There are messages in the console<br>
Content Security Policy: The page's settings blocked the loading<br>
of a resource at self ("script-src <a href="https://x.foo.com" rel="noreferrer" target="_blank">https://x.foo.com</a>").<br>
so maybe the information necessary to build the form isn't even being loaded.<span><font color="#888888"><br>
<br>
<br>
-- <br>
Do things because you should, not just because you can.<br>
<br>
John Thurston <a href="tel:907-465-8591" value="+19074658591" target="_blank">907-465-8591</a><br>
<a href="mailto:John.Thurston@alaska.gov" target="_blank">John.Thurston@alaska.gov</a><br>
Enterprise Technology Services<br>
Department of Administration<br>
State of Alaska<br>
_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a><br>
<a href="http://lists.xymon.com/mailman/listinfo/xymon" rel="noreferrer" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
</font></span></blockquote></div><br></div></div>