[Xymon] "sandboxed" errors in 4.3.27
Andrey Chervonets
A.Chervonets at cominder.eu
Thu Jan 12 22:49:13 CET 2017
Thank You!
Setting the XYMON_NOCSPHEADER - fixed the trouble.
In this case the clients are relatively safe.
Best regards,
Andrey Chervonets
----------------------
SIA CoMinder
http://www.cominder.eu/
From: Japheth Cleaver <cleaver at terabithia.org>
To: Andrey Chervonets <A.Chervonets at cominder.eu>, xymon at xymon.com
Date: 12.01.2017 20:12
Subject: Re: [Xymon] "sandboxed" errors in 4.3.27
On 1/12/2017 9:34 AM, Andrey Chervonets wrote:
We have recently upgraded our monitoring server from 4.3.17 to 4.3.27 and
now getting " is sandboxed, and the 'allow-scripts' keyword is not set."
errors in modern Chrome
for svcstatus.sh pages
Let me explain:
Some our custom tests may generate large content with detailed technical
information, which is not always required to show on web-page.
monitoring test generate HTML content with DIV having style='display:
none'
HTML content also contains <A HREF> element with java script function call
to show DIV content on click (or hide on click again)
Appropriate java script function is placed in page header - it was placed
in HEAD element - in
./server/web/hostsvc_header
./server/web/histlog_header
so generated header is the following:
==============
<HEAD>
<META HTTP-EQUIV="REFRESH" CONTENT="60">
<META HTTP-EQUIV="EXPIRES" CONTENT="Sat, 01 Jan 2001 00:00:00 GMT">
<META HTTP-EQUIV="Set-Cookie" CONTENT="pagepath=; path=/">
<META HTTP-EQUIV="Set-Cookie" CONTENT="host=target-hostname; path=/">
<TITLE>yellow : Xymon - dbinvobj status forhost=target-hostname (10.*.*.*)
@ Thu Jan 12 19:07:47 2017</TITLE>
<!-- Styles for the Xymon body -->
<link rel="stylesheet" type="text/css" href="/xymon/gifs/xymonbody.css">
<!-- Styles for the menu bar -->
<link rel="stylesheet" type="text/css"
href="/xymon/menu/xymonmenu-blue.css">
<!-- The favicon image -->
<link rel="shortcut icon" href="/xymon/gifs/favicon-yellow.ico">
<!-- CoMinder customisation -->
<script language="JavaScript1.2" type="text/javascript">
function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) {
var div_element = document.getElementById(p_DivName);
var text = document.getElementById(p_LinkName);
if(div_element.style.display == "block") {
div_element.style.display = "none";
text.innerHTML = p_showCaption;
}
else {
div_element.style.display = "block";
text.innerHTML = p_HideCaption;
}
}
</script>
<!-- end of CoMinder customisation -->
</HEAD>
==============
It was working fine in 4.3.17 (really we still have one monitoring server
of that version and it is working)
In 4.3.27 - we get the following errors in latest Chrome and our java
script function is not working (nothing happens)
1)
Refused to execute the redirect specified via '<meta http-equiv='refresh'
content='...'>'. The document is sandboxed, and the 'allow-scripts'
keyword is not set.
2)
Blocked script execution in
'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=target-hostname&SERVICE=custmetric'because
the document's frame is sandboxed and the 'allow-scripts' permission is
not set.
Note: old Opera (before Chromium), old (2013) Chrome and more or less
modern FireFox ESR does not have such problem.
I have found similar thread for [Xymon] 4.3.25 - ouch (reverting to
4.3.22), but not identical and it looks like final solution was not found.
http://lists.xymon.com/archive/2016-February/043013.html
I have compared pages sources from XyMon 4.3.17 and 4.3.27 for the
same content.
and the difference is only 1 line, which IMHO should not affect - 1 menu
item added in 4.3.27:
<a class="inner"
href="/xymon-cgi/acknowledgements.sh">Acknowledgements</a>
If I save both pages locally as HTML file and open in Chrome - java script
function is working and there are no "sandboxed" errors.
Hi,
Yes, this was part of the anti-XSS/CSP fix that went into 4.3.25. There
were some initial problems, but I believe we resolved those issues
completely within 4.3.26.
The headers in question are generated at the CGI layer rather than in the
templates, which is why you don't see much of a change there.
You can bypass this generation by setting the "XYMON_NOCSPHEADER"=
variable to something non-empty in xymonserver.cfg on your xymongen
server. This should only be done on systems you feel comfortable with the
integrity of the clients of, as it allows arbitrary javascript to be
returned in status and client messages (cf.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058)
HTH,
-jc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170112/e0cecb6c/attachment.html>
More information about the Xymon
mailing list