[Xymon] Problems with Content Security Policy in Safari, Chrome, and IE
Jonathan Trott
jtrott at dancrai.com
Thu Nov 9 05:40:55 CET 2017
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on
iOS 11.
Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends
If you click on any of the time based buttons, 48hrs for example, the
requested page doesn't load.
Safari on macOS look like it's loading a page but doesn't get anywhere.
Safari on iOS does nothing at all when you tap the button.
The console in Safari reveals the following error:
Refused to load
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends&backdays=48&backhours=&backmins=&backsecs=&FROMTIME=&TOTIME=
because it does not appear in the form-action directive of the Content
Security Policy.
Checking the headers shows this content security policy:
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src
'self'; form-action 'self'; sandbox allow-forms allow-scripts;
I'm not that well versed in the CSP stuff, but I note that it also fails
with the same error in the latest Chrome 62.0.3202.89, and in Internet
Explorer 11.0.9600.18817 (no error logged), but works in the latest
Firefox 56.0.2.
Has anyone else run into this issue, or has any more information on how I
can modify the CSP headers to test?
I tried using Header set Content-Security-Policy in apache but that seems
to add an improperly formatted addition to the rules rather than
overwriting them.
Thanks,
JT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20171109/177be9ad/attachment.html>
More information about the Xymon
mailing list