<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 1/12/2017 9:34 AM, Andrey Chervonets
wrote:<br>
</div>
<blockquote
cite="mid:OFE50590F8.8ADE3994-ONC22580A6.005E5EB8-C22580A6.0060915D@cominder.eu"
type="cite"><font face="sans-serif" size="2">We have recently
upgraded our monitoring
server from 4.3.17 to 4.3.27 and now getting " is sandboxed,
and the 'allow-scripts' keyword is not set." errors in modern
Chrome</font>
<br>
<font face="sans-serif" size="2">for svcstatus.sh pages</font>
<br>
<br>
<font face="sans-serif" size="2">Let me explain:</font>
<br>
<font face="sans-serif" size="2">Some our custom tests may
generate large
content with detailed technical information, which is not always
required
to show on web-page.</font>
<br>
<font face="sans-serif" size="2">monitoring test generate HTML
content
with DIV having </font><tt><font size="3">style</font></tt><tt><font
color="#800080" size="3">='</font></tt><tt><font size="3">display:
none</font></tt><tt><font color="#800080" size="3">'</font></tt><font
face="Arial" size="3">
</font>
<br>
<br>
<font face="sans-serif" size="2">HTML content also contains <A
HREF>
element with java script function call to show DIV content on
click (or
hide on click again)</font>
<br>
<font face="sans-serif" size="2">Appropriate java script function
is
placed in page header - it was placed in HEAD element - in </font>
<br>
<font face="sans-serif" size="2">./server/web/hostsvc_header</font>
<br>
<font face="sans-serif" size="2">./server/web/histlog_header</font>
<br>
<br>
<font face="sans-serif" size="2">so generated header is the
following:</font>
<br>
<font face="sans-serif" size="2">==============</font>
<br>
<font face="sans-serif" size="2"><HEAD></font>
<br>
<font face="sans-serif" size="2"><META HTTP-EQUIV="REFRESH"
CONTENT="60"></font>
<br>
<font face="sans-serif" size="2"><META HTTP-EQUIV="EXPIRES"
CONTENT="Sat, 01 Jan 2001 00:00:00 GMT"></font>
<br>
<font face="sans-serif" size="2"><META HTTP-EQUIV="Set-Cookie"
CONTENT="pagepath=; path=/"></font>
<br>
<font face="sans-serif" size="2"><META HTTP-EQUIV="Set-Cookie"
CONTENT="host=target-hostname; path=/"></font>
<br>
<font face="sans-serif" size="2"><TITLE>yellow : Xymon -
dbinvobj
status forhost=target-hostname (10.*.*.*) @ Thu Jan 12 19:07:47
2017</TITLE></font>
<br>
<br>
<font face="sans-serif" size="2"><!-- Styles for the Xymon body
--></font>
<br>
<font face="sans-serif" size="2"><link rel="stylesheet"
type="text/css" href="/xymon/gifs/xymonbody.css"></font>
<br>
<br>
<font face="sans-serif" size="2"><!-- Styles for the menu bar
--></font>
<br>
<font face="sans-serif" size="2"><link rel="stylesheet"
type="text/css" href="/xymon/menu/xymonmenu-blue.css"></font>
<br>
<br>
<font face="sans-serif" size="2"><!-- The favicon image --></font>
<br>
<font face="sans-serif" size="2"><link rel="shortcut icon"
href="/xymon/gifs/favicon-yellow.ico"></font>
<br>
<br>
<font face="sans-serif" size="2"><!-- CoMinder customisation
--></font>
<br>
<font face="sans-serif" size="2"><script
language="JavaScript1.2"
type="text/javascript"></font>
<br>
<font face="sans-serif" size="2">function
toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption)
{</font>
<br>
<font face="sans-serif" size="2"> var div_element
= document.getElementById(p_DivName);</font>
<br>
<font face="sans-serif" size="2"> var text
= document.getElementById(p_LinkName);</font>
<br>
<font face="sans-serif" size="2">
if(div_element.style.display
== "block") {</font>
<br>
<font face="sans-serif" size="2"> div_element.style.display
= "none";</font>
<br>
<font face="sans-serif" size="2">
text.innerHTML = p_showCaption;</font>
<br>
<font face="sans-serif" size="2"> }</font>
<br>
<font face="sans-serif" size="2"> else {</font>
<br>
<font face="sans-serif" size="2">
div_element.style.display = "block";</font>
<br>
<font face="sans-serif" size="2">
text.innerHTML = p_HideCaption;</font>
<br>
<font face="sans-serif" size="2"> }</font>
<br>
<font face="sans-serif" size="2">}</font>
<br>
<font face="sans-serif" size="2"></script></font>
<br>
<font face="sans-serif" size="2"><!-- end of CoMinder
customisation
--></font>
<br>
<br>
<font face="sans-serif" size="2"></HEAD></font>
<br>
<font face="sans-serif" size="2">==============</font>
<br>
<br>
<font face="sans-serif" size="2"><br>
It was working fine in 4.3.17 (really we still have one
monitoring server
of that version and it is working)</font>
<br>
<font face="sans-serif" size="2">In 4.3.27 - we get the following
errors
in latest Chrome and our java script function is not working
(nothing
happens)</font>
<br>
<br>
<font face="sans-serif" size="2"><br>
1)</font>
<br>
<font face="sans-serif" size="2">Refused to execute the redirect
specified
via '<meta http-equiv='refresh' content='...'>'. The
document is
sandboxed, and the 'allow-scripts' keyword is not set.</font>
<br>
<br>
<font face="sans-serif" size="2">2) </font>
<br>
<font face="sans-serif" size="2">Blocked script execution in
'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=target-hostname&SERVICE=custmetric'because
the document's frame is sandboxed and the 'allow-scripts'
permission
is not set.</font>
<br>
<br>
<br>
<font face="sans-serif" size="2">Note: old Opera (before
Chromium), old
(2013) Chrome and more or less modern FireFox ESR does not have
such problem.</font>
<br>
<br>
<br>
<font face="sans-serif" size="2">I have found similar thread for
[Xymon]
4.3.25 - ouch (reverting to 4.3.22), but not identical and it
looks like
final solution was not found.</font>
<br>
<a moz-do-not-send="true"
href="http://lists.xymon.com/archive/2016-February/043013.html"><font
face="sans-serif" color="blue" size="2">http://lists.xymon.com/archive/2016-February/043013.html</font></a>
<br>
<br>
<font face="sans-serif" size="2">I have compared pages sources
from XyMon
4.3.17 and 4.3.27 for the same content.</font>
<br>
<font face="sans-serif" size="2">and the difference is only 1
line, which
IMHO should not affect - 1 menu item added in 4.3.27:</font>
<br>
<font face="sans-serif" size="2"><a class="inner"
href="/xymon-cgi/acknowledgements.sh">Acknowledgements</a></font>
<br>
<br>
<font face="sans-serif" size="2">If I save both pages locally as
HTML
file and open in Chrome - java script function is working and
there are
no "sandboxed" errors.</font>
<br>
</blockquote>
<br>
Hi,<br>
<br>
Yes, this was part of the anti-XSS/CSP fix that went into 4.3.25.
There were some initial problems, but I believe we resolved those
issues completely within 4.3.26.<br>
<br>
The headers in question are generated at the CGI layer rather than
in the templates, which is why you don't see much of a change there.
<br>
<br>
You can bypass this generation by setting the "XYMON_NOCSPHEADER"=
variable to something non-empty in xymonserver.cfg on your xymongen
server. This should only be done on systems you feel comfortable
with the integrity of the clients of, as it allows arbitrary
javascript to be returned in status and client messages (cf.
<a class="moz-txt-link-freetext" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058</a>)<br>
<br>
HTH,<br>
-jc<br>
</body>
</html>