[Xymon] [External] Re: Problems with Content Security Policy in Safari, Chrome, and IE

Rothlisberger, John R. john.r.rothlisberger at accenture.com
Tue Jul 17 21:37:54 CEST 2018

I am now having this error on one of my many Xymon servers – newly built Ubuntu 16.04LTS.

I have tried making some changes in apache to no avail and so far I haven’t found anything in the config file to change this.

[Tue Jul 17 15:16:16.820076 2018] [cgi:error] [pid 21003:tid 140629812131584] [client x.x.x.x:44224] AH01215: 2018-07-17 15:16:16.819794 Enadis POST that is not coming from self or svcstatus (referer=https://x.x.x/xymon-cgi/enadis.sh). Ignoring.: /home/xymon/cgi-bin/enadis.sh, referer: https://x.x.x/xymon-cgi/enadis.sh


From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Hansen, Rene H
Sent: Wednesday, March 21, 2018 7:19 AM
To: John Thurston <john.thurston at alaska.gov>; xymon at xymon.com
Subject: [External] Re: [Xymon] Problems with Content Security Policy in Safari, Chrome, and IE

Hello John

Please let me know if I should send to mailinglist. This my first call for help.

I'm having trouble with enadis. I'm not sure if it's completely the same as you describe here but it looks similar.

We have installed xymon-4.3.28-1.el7.x86_64.rpm (terabithia.org) If I need to play with changing cgi.c and recompiling will make install reinstall without need for changes?

When we try to run enadis from either info og from Enable/disable menu we get the following error in xymon-error.log

[Tue Mar 20 16:54:05.786245 2018] [cgi:error] [pid 9121] [client] AH01215: 2018-03-20 16:54:05.786123 Enadis POST that is not coming from self or svcstatus (referer=https://xxxyyy.dk/xymon-seccgi/enadis.sh). Ignoring., referer: https:// xxxyyy.dk/xymon-seccgi/enadis.sh

I have tried to set XYMON_NOCSPHEADER="true" in either xymonserver.cfg or /etc/xymon/cgioptions.cfg but is doesn’t seem to make a difference

We have a httpd proxy in front were I had csp configured – but have tried to uncomment it and still gets the same error.

I have testet with Firefox 59.0 and Chrome (64.0.3282.186) where javascript doesn’t work with “Enable/disable menu” – and iexplorer (11.0.51)

(if I want to test directly without httpd/proxy I only have iexplorer v8)

(httpd/proxy )

        #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

        #Header always set X-Frame-Options "SAMEORIGIN"

        #Header always set X-Content-Type-Options "nosniff"

        #Header always unset Content-Security-Policy

        #Header always set Content-Security-Policy "xdwsscript-src 'self'"

        #Header always set X-XSS-Protection "1; mode=block"

        #Header always set Referrer-Policy "no-referrer"

        #Header unset Server

        #Header set X-Frame-Options "DENY"

        SSLProxyEngine on

        #ProxyPreserveHost On

        ServerName  xxxyy.dk

        SSLProxyVerify none

        SSLProxyCheckPeerCN off

        SSLProxyCheckPeerName off

        SSLProxyCheckPeerExpire on

        ProxyPass /xymon https://xxxyyy.dk:443/xymon

        ProxyPassReverse /xymon https://xxx.xxx.xxx.xxx:443/xymon

        ProxyPass /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi

        ProxyPassReverse /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi

        ProxyPass /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/

        ProxyPassReverse /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/


Senior Prof. Middleware System Engineer (EA&I)

DXC Technology

Retortvej 8, DK - 2500 Valby, Denmark, I-1-356

Mobile: +45 2923 5807

Email: rhansen21 at dxc.com<mailto:rhansen21 at dxc.com>

Leave information in advance: :   Out of office  both days included

-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of John Thurston
Sent: 9. november 2017 20:26
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: Re: [Xymon] Problems with Content Security Policy in Safari, Chrome, and IE

On 11/8/2017 7:40 PM, Jonathan Trott wrote:

> Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.

> Problem occurs on the trends page.


> https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SE<https://urldefense.proofpoint.com/v2/url?u=https-3A__xymon.domain.com.au_xymon-2Dcgi_svcstatus.sh-3FHOST-3Dhost.com.au-26SE&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=-wgc4FYM8JKYI7ALjLgnnAXACNO4yqsbriNjpp4jQNA&s=tllkfnhPoE13cLO_V2ePcw4b17_lh_tpUEHgBmpmaQI&e=>

> RVICE=trends


> If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.

> Safari on macOS look like it's loading a page but doesn't get anywhere.

I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278

> else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =

> strdup("script-src 'self' 'unsafe-inline'; connect-src 'self';

> form-action 'self'; sandbox allow-forms allow-scripts

> allow-same-origin;");


How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me.

Each of the following pages gets a specif CSP:

> "enadis"

> "useradm"

> "chpasswd"

> "ackinfo"

> "acknowledge"

> "criticaleditor"

> "svcstatus-trends

> "svcstatus-info"

> "svcstatus"

> "historylog"

svcstatus-info and -trends are special cases of the general purpose svcstatus case.

I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?


    Do things because you should, not just because you can.

John Thurston    907-465-8591

John.Thurston at alaska.gov<mailto:John.Thurston at alaska.gov>

Department of Administration

State of Alaska


Xymon mailing list

Xymon at xymon.com<mailto:Xymon at xymon.com>


CSC Danmark A/S - Registered Office: Retortvej 8, DK - 2500 Valby, Denmark - Registered in Denmark No: 15231599.
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.


This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20180717/ca3b682e/attachment.html>

More information about the Xymon mailing list