[Xymon] 4.3.25 - ouch (reverting to 4.3.22)

John Thurston john.thurston at alaska.gov
Wed Feb 10 22:23:51 CET 2016 

My testing of the release candidate was obviously inadequate. My phone 
rang off the hook after shipping 4.3.25 to my production server. I've 
reverted it to 4.3.22 while I try to get a handle on the changes.

:: svcstatus refresh ::

I didn't see any mention of this in the release notes, but the page is 
now being delivered with a 30-second _header_ refresh in place of a 
60-second _meta_ refresh.

I assume the change in method is related to XSS protection changes, but 
I don't know for sure. The shortening of the interval concerns me much 
more than the change in method. I'd prefer the darned page didn't 
refresh at all, but hard coding it to every half minute?  Ouch. Ick. 
What's the business case here? Anyone who his visually monitoring a 
single info page can hit F5 when they want a refresh, can't they?

:: XSS protections ::

It looks like the XSS protection bits inserted into http headers
> content-security-policy: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;
> X-Content-Security-Policy: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;
> X-Webkit-CSP: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;

has broken several functions for me. The most important things are the 
notes our operators use to figure out who to call. We insert some html 
into the DESCR tag of hosts.cfg. This appears on the "info" page as a 
link. The links are to static content served by the same Apache web 
server. The tags are of the form:
> DESCR:"Important Server:<a href=/xymon/CNotes/ImportantServer target=Notes>Reference notes</a>"

With Firefox, the links work. With InternetExploder and Chrome, the 
links quietly fail to work. The Chrome console returns the error message:
   Blocked script execution in 'https://foo.bar.com/xymon-
   cgi/svcstatus.sh?HOST=bb.bar.com&SERVICE=info' because
   the document's frame is sandboxed and the 'allow-scripts'
   permission is not set.
Removing the "target" property from the A tag allows it to work. It 
overwrites the info page, but at least it works :p It feels like a step 
back to the 90's be forced into a single page that keeps getting replaced.

I don't know enough about the "content security policy". What are my 
options to retain the named-window/tab capabilities?

:: svcstatus disable function ::

We are unable to enable/disable test from a host's "info" page. We can 
do so from enadis.sh, but this is a lot harder for many of our users.

In Chrome, attempts to disable tests from the "info" page is generating 
the same "frame is sandboxed" messages.

In Firefox, the attempts just don't do anything. There are messages in 
the console
   Content Security Policy: The page's settings blocked the loading
   of a resource at self ("script-src https://x.foo.com").
so maybe the information necessary to build the form isn't even being 
loaded.


-- 
    Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska

More information about the Xymon mailing list