[Xymon] Problems with Content Security Policy in Safari, Chrome, and IE
John Thurston
john.thurston at alaska.gov
Thu Nov 9 20:26:11 CET 2017
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
> Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.
> Problem occurs on the trends page.
>
> https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends
>
> If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.
> Safari on macOS look like it's loading a page but doesn't get anywhere.
I'm able to duplicate this failure when building 4.3.28 from source on
Solaris 10. It looks to me like the fix is to add "allow-same-origin" in
lib/cgi.c to line 278
> else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
>
How many other pages are broken in a similar manner? I'm not a big user
of Google Chrome, so depend on my customers to report these breaks to me.
Each of the following pages gets a specif CSP:
> "enadis"
> "useradm"
> "chpasswd"
> "ackinfo"
> "acknowledge"
> "criticaleditor"
> "svcstatus-trends
> "svcstatus-info"
> "svcstatus"
> "historylog"
svcstatus-info and -trends are special cases of the general purpose
svcstatus case.
I've done spot-checks of these other pages with my copy of Chrome and
they seem to behave correctly. Anyone else wanna check their browser/OS
combinations and report back?
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
More information about the Xymon
mailing list