[Xymon] "sandboxed" errors in 4.3.27

Thu Jan 12 18:34:44 CET 2017

We have recently upgraded our monitoring server from 4.3.17 to 4.3.27  and 
now getting " is sandboxed, and the 'allow-scripts' keyword is not set." 
errors in modern Chrome
for svcstatus.sh pages

Let me explain:
Some our custom tests may generate large content with detailed technical 
information, which is not always required to show on web-page.
monitoring test generate HTML content with DIV having  style='display: 
none' 

HTML content also contains <A HREF> element with java script function call 
to show DIV content on click (or hide on click again)
Appropriate java script function is placed in page header  - it was placed 
in HEAD element - in 
./server/web/hostsvc_header
./server/web/histlog_header

so generated header is the following:
==============
<HEAD>
<META HTTP-EQUIV="REFRESH" CONTENT="60">
<META HTTP-EQUIV="EXPIRES" CONTENT="Sat, 01 Jan 2001 00:00:00 GMT">
<META HTTP-EQUIV="Set-Cookie" CONTENT="pagepath=; path=/">
<META HTTP-EQUIV="Set-Cookie" CONTENT="host=target-hostname; path=/">
<TITLE>yellow : Xymon - dbinvobj status forhost=target-hostname (10.*.*.*) 
@ Thu Jan 12 19:07:47 2017</TITLE>

<!-- Styles for the Xymon body  -->
<link rel="stylesheet" type="text/css" href="/xymon/gifs/xymonbody.css">

<!-- Styles for the menu bar -->
<link rel="stylesheet" type="text/css" 
href="/xymon/menu/xymonmenu-blue.css">

<!-- The favicon image -->
<link rel="shortcut icon" href="/xymon/gifs/favicon-yellow.ico">

<!-- CoMinder customisation -->
<script language="JavaScript1.2" type="text/javascript">
function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) {
        var div_element = document.getElementById(p_DivName);
        var text = document.getElementById(p_LinkName);
        if(div_element.style.display == "block") {
    div_element.style.display = "none";
                text.innerHTML = p_showCaption;
        }
        else {
                div_element.style.display = "block";
                text.innerHTML = p_HideCaption;
        }
}
</script>
<!-- end of CoMinder customisation -->

</HEAD>
==============

It was working fine in 4.3.17 (really we still have one monitoring server 
of that version and it is working)
In 4.3.27 - we get the following errors in latest Chrome  and our java 
script function is not working (nothing happens)

1)
Refused to execute the redirect specified via '<meta http-equiv='refresh' 
content='...'>'. The document is sandboxed, and the 'allow-scripts' 
keyword is not set.

2) 
Blocked script execution in 
'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=target-hostname&SERVICE=custmetric' 
because the document's frame is sandboxed and the 'allow-scripts' 
permission is not set.

Note: old Opera (before Chromium), old (2013) Chrome and more or less 
modern FireFox ESR does not have such problem.

I have found similar thread for  [Xymon] 4.3.25 - ouch (reverting to 
4.3.22), but not identical and it looks like final solution was not found.
http://lists.xymon.com/archive/2016-February/043013.html

I have compared pages sources from XyMon  4.3.17  and  4.3.27  for the 
same content.
and the difference is only 1 line, which IMHO should not affect - 1 menu 
item added in 4.3.27:
<a class="inner" 
href="/xymon-cgi/acknowledgements.sh">Acknowledgements</a>

If I save both pages locally as HTML file and open in Chrome - java script 
function is working and there are no "sandboxed"  errors.

Best regards,

Andrey Chervonets
----------------------
SIA CoMinder
http://www.cominder.eu/
mobile: +371 26517848

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170112/239a7de9/attachment.html>