<div dir="ltr"><div>Hi,</div><div><br></div>I experience the same issue on MacOS (High Sierra) with the browsers:<div>- Safari (Versie 11.0.1 (13604.3.5)) and</div><div>- Chrome <span style="color:rgb(117,117,117);font-family:Roboto,system-ui,sans-serif;font-size:13px">Versie 62.0.3202.94 (Officiële build) (64-bits)</span>. <div><br></div><div>No problems with:</div><div>- Firefox (57.0 (64-bit)),</div><div><br></div><div><br></div><div>I will try the setting:</div><div><br></div><div><span style="font-size:12.8px"> XYMON_NOCSPHEADER="TRUE"</span><br></div><div><span style="font-size:12.8px"><br></span></div><div>-- Peter</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-11-09 20:26 GMT+01:00 John Thurston <span dir="ltr"><<a href="mailto:john.thurston@alaska.gov" target="_blank">john.thurston@alaska.gov</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 11/8/2017 7:40 PM, Jonathan Trott wrote:<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.<br>
Problem occurs on the trends page.<br>
<br>
<a href="https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends" rel="noreferrer" target="_blank">https://xymon.domain.com.au/xy<wbr>mon-cgi/svcstatus.sh?HOST=host<wbr>.com.au&SERVICE=trends</a><br>
<br>
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.<br>
Safari on macOS look like it's loading a page but doesn't get anywhere. <br>
</blockquote>
<br></span>
I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");<br>
<br>
</blockquote>
<br>
How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me.<br>
<br>
Each of the following pages gets a specif CSP:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
"enadis"<br>
"useradm"<br>
"chpasswd"<br>
"ackinfo"<br>
"acknowledge"<br>
"criticaleditor"<br>
"svcstatus-trends<br>
"svcstatus-info"<br>
"svcstatus"<br>
"historylog"<br>
</blockquote>
<br>
svcstatus-info and -trends are special cases of the general purpose svcstatus case.<br>
<br>
I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?<div class="HOEnZb"><div class="h5"><br>
<br>
--<br>
Do things because you should, not just because you can.<br>
<br>
John Thurston 907-465-8591<br>
<a href="mailto:John.Thurston@alaska.gov" target="_blank">John.Thurston@alaska.gov</a><br>
Department of Administration<br>
State of Alaska<br>
______________________________<wbr>_________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a><br>
<a href="http://lists.xymon.com/mailman/listinfo/xymon" rel="noreferrer" target="_blank">http://lists.xymon.com/mailman<wbr>/listinfo/xymon</a><br>
</div></div></blockquote></div><br></div>