[Xymon] Problems with Content Security Policy in Safari, Chrome, and IE

Jonathan Trott jtrott at dancrai.com
Thu Nov 9 05:40:55 CET 2017


Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on 
iOS 11.
Problem occurs on the trends page.

https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends

If you click on any of the time based buttons, 48hrs for example, the 
requested page doesn't load.
Safari on macOS look like it's loading a page but doesn't get anywhere.
Safari on iOS does nothing at all when you tap the button.

The console in Safari reveals the following error:

Refused to load 
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends&backdays=48&backhours=&backmins=&backsecs=&FROMTIME=&TOTIME= 
because it does not appear in the form-action directive of the Content 
Security Policy.

Checking the headers shows this content security policy:

Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 
'self'; form-action 'self'; sandbox allow-forms allow-scripts;

I'm not that well versed in the CSP stuff, but I note that it also fails 
with the same error in the latest Chrome 62.0.3202.89, and in Internet 
Explorer 11.0.9600.18817 (no error logged), but works in the latest 
Firefox 56.0.2.

Has anyone else run into this issue, or has any more information on how I 
can modify the CSP headers to test?

I tried using Header set Content-Security-Policy in apache but that seems 
to add an improperly formatted addition to the rules rather than 
overwriting them.

Thanks,
JT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20171109/177be9ad/attachment.html>


More information about the Xymon mailing list