<font size=2 face="sans-serif">Thank You!</font>
<br>
<br><font size=2 face="sans-serif">Setting the XYMON_NOCSPHEADER - fixed
the trouble.</font>
<br>
<br><font size=2 face="sans-serif">In this case the clients are relatively
safe. </font>
<br>
<br>
<br><font size=2 face="Verdana">Best regards,</font>
<br>
<br><font size=2 face="Verdana">Andrey Chervonets</font>
<br><font size=2 face="Verdana">----------------------</font>
<br><font size=2 face="Verdana">SIA CoMinder</font>
<br><a href=http://www.cominder.eu/><font size=2 color=blue face="Verdana">http://www.cominder.eu/</font></a>
<br>
<br>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Japheth Cleaver <cleaver@terabithia.org></font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">Andrey Chervonets <A.Chervonets@cominder.eu>,
xymon@xymon.com</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">12.01.2017 20:12</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">Re: [Xymon]
"sandboxed" errors in 4.3.27</font>
<br>
<hr noshade>
<br>
<br>
<br><font size=3 face="Arial">On 1/12/2017 9:34 AM, Andrey Chervonets wrote:</font>
<br><font size=2 face="sans-serif">We have recently upgraded our monitoring
server from 4.3.17 to 4.3.27 and now getting " is sandboxed,
and the 'allow-scripts' keyword is not set." errors in modern Chrome</font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
for svcstatus.sh pages</font><font size=3 face="Arial"> <br>
</font><font size=2 face="sans-serif"><br>
Let me explain:</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
Some our custom tests may generate large content with detailed technical
information, which is not always required to show on web-page.</font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
monitoring test generate HTML content with DIV having </font><tt><font size=3>style</font></tt><tt><font size=3 color=#800080>='</font></tt><tt><font size=3>display:
none</font></tt><tt><font size=3 color=#800080>'</font></tt><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
HTML content also contains <A HREF> element with java script function
call to show DIV content on click (or hide on click again)</font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
Appropriate java script function is placed in page header - it was
placed in HEAD element - in <br>
./server/web/hostsvc_header</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
./server/web/histlog_header</font><font size=3 face="Arial"> <br>
</font><font size=2 face="sans-serif"><br>
so generated header is the following:</font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
==============</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
<HEAD></font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
<META HTTP-EQUIV="REFRESH" CONTENT="60"></font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
<META HTTP-EQUIV="EXPIRES" CONTENT="Sat, 01 Jan 2001
00:00:00 GMT"></font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
<META HTTP-EQUIV="Set-Cookie" CONTENT="pagepath=; path=/"></font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
<META HTTP-EQUIV="Set-Cookie" CONTENT="host=target-hostname;
path=/"></font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
<TITLE>yellow : Xymon - dbinvobj status forhost=target-hostname (10.*.*.*)
@ Thu Jan 12 19:07:47 2017</TITLE></font><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
<!-- Styles for the Xymon body --></font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
<link rel="stylesheet" type="text/css" href="/xymon/gifs/xymonbody.css"></font><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
<!-- Styles for the menu bar --></font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
<link rel="stylesheet" type="text/css" href="/xymon/menu/xymonmenu-blue.css"></font><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
<!-- The favicon image --></font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
<link rel="shortcut icon" href="/xymon/gifs/favicon-yellow.ico"></font><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
<!-- CoMinder customisation --></font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
<script language="JavaScript1.2" type="text/javascript"></font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) {</font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
var div_element = document.getElementById(p_DivName);</font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
var text = document.getElementById(p_LinkName);</font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
if(div_element.style.display == "block")
{</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
div_element.style.display = "none";</font><font size=3 face="Arial">
</font><font size=2 face="sans-serif"><br>
text.innerHTML
= p_showCaption;</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
}</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
else {</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
div_element.style.display
= "block";</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
text.innerHTML
= p_HideCaption;</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
}</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
}</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
</script></font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
<!-- end of CoMinder customisation --></font><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
</HEAD></font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
==============</font><font size=3 face="Arial"> <br>
</font><font size=2 face="sans-serif"><br>
<br>
It was working fine in 4.3.17 (really we still have one monitoring server
of that version and it is working)</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
In 4.3.27 - we get the following errors in latest Chrome and our
java script function is not working (nothing happens)</font><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
<br>
1)</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
Refused to execute the redirect specified via '<meta http-equiv='refresh'
content='...'>'. The document is sandboxed, and the 'allow-scripts'
keyword is not set.</font><font size=3 face="Arial"> <br>
</font><font size=2 face="sans-serif"><br>
2) <br>
Blocked script execution in 'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=target-hostname&SERVICE=custmetric'because
the document's frame is sandboxed and the 'allow-scripts' permission is
not set.</font><font size=3 face="Arial"> <br>
<br>
</font><font size=2 face="sans-serif"><br>
Note: old Opera (before Chromium), old (2013) Chrome and more or less modern
FireFox ESR does not have such problem.</font><font size=3 face="Arial">
<br>
<br>
</font><font size=2 face="sans-serif"><br>
I have found similar thread for [Xymon] 4.3.25 - ouch (reverting
to 4.3.22), but not identical and it looks like final solution was not
found.</font><font size=3 face="Arial"> </font><font size=3 color=blue face="Arial"><u><br>
</u></font><a href="http://lists.xymon.com/archive/2016-February/043013.html"><font size=2 color=blue face="sans-serif"><u>http://lists.xymon.com/archive/2016-February/043013.html</u></font></a><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
I have compared pages sources from XyMon 4.3.17 and 4.3.27
for the same content.</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
and the difference is only 1 line, which IMHO should not affect - 1 menu
item added in 4.3.27:</font><font size=3 face="Arial"> </font><font size=2 face="sans-serif"><br>
<a class="inner" href="/xymon-cgi/acknowledgements.sh">Acknowledgements</a></font><font size=3 face="Arial">
<br>
</font><font size=2 face="sans-serif"><br>
If I save both pages locally as HTML file and open in Chrome - java script
function is working and there are no "sandboxed" errors.</font><font size=3 face="Arial">
</font>
<br><font size=3 face="Arial"><br>
Hi,<br>
<br>
Yes, this was part of the anti-XSS/CSP fix that went into 4.3.25. There
were some initial problems, but I believe we resolved those issues completely
within 4.3.26.<br>
<br>
The headers in question are generated at the CGI layer rather than in the
templates, which is why you don't see much of a change there. <br>
<br>
You can bypass this generation by setting the "XYMON_NOCSPHEADER"=
variable to something non-empty in xymonserver.cfg on your xymongen server.
This should only be done on systems you feel comfortable with the integrity
of the clients of, as it allows arbitrary javascript to be returned in
status and client messages (cf. </font><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058"><font size=3 color=blue face="Arial"><u>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058</u></font></a><font size=3 face="Arial">)<br>
<br>
HTH,<br>
-jc</font>
<br>
<br>