[Xymon] Problems with Content Security Policy in Safari, Chrome, and IE

John Thurston john.thurston at alaska.gov
Thu Nov 9 20:26:11 CET 2017


On 11/8/2017 7:40 PM, Jonathan Trott wrote:
> Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.
> Problem occurs on the trends page.
> 
> https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends
> 
> If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.
> Safari on macOS look like it's loading a page but doesn't get anywhere. 

I'm able to duplicate this failure when building 4.3.28 from source on 
Solaris 10. It looks to me like the fix is to add "allow-same-origin" in 
lib/cgi.c to line 278

> else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
>  

How many other pages are broken in a similar manner? I'm not a big user 
of Google Chrome, so depend on my customers to report these breaks to me.

Each of the following pages gets a specif CSP:
> "enadis"
> "useradm"
> "chpasswd"
> "ackinfo"
> "acknowledge"
> "criticaleditor"
> "svcstatus-trends
> "svcstatus-info"
> "svcstatus"
> "historylog"

svcstatus-info and -trends are special cases of the general purpose 
svcstatus case.

I've done spot-checks of these other pages with my copy of Chrome and 
they seem to behave correctly. Anyone else wanna check their browser/OS 
combinations and report back?

--
    Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska



More information about the Xymon mailing list