[Xymon] Problems with Content Security Policy in Safari, Chrome, and IE

Peter Welter peter.welter at gmail.com
Wed Nov 29 13:22:01 CET 2017


Hi,

I experience the same issue on MacOS (High Sierra) with the browsers:
- Safari (Versie 11.0.1 (13604.3.5)) and
- Chrome Versie 62.0.3202.94 (Officiƫle build) (64-bits).

No problems with:
- Firefox (57.0 (64-bit)),


I will try the setting:

  XYMON_NOCSPHEADER="TRUE"

-- Peter

2017-11-09 20:26 GMT+01:00 John Thurston <john.thurston at alaska.gov>:

> On 11/8/2017 7:40 PM, Jonathan Trott wrote:
>
>> Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on
>> iOS 11.
>> Problem occurs on the trends page.
>>
>> https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host
>> .com.au&SERVICE=trends
>>
>> If you click on any of the time based buttons, 48hrs for example, the
>> requested page doesn't load.
>> Safari on macOS look like it's loading a page but doesn't get anywhere.
>>
>
> I'm able to duplicate this failure when building 4.3.28 from source on
> Solaris 10. It looks to me like the fix is to add "allow-same-origin" in
> lib/cgi.c to line 278
>
> else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =
>> strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action
>> 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
>>
>>
>
> How many other pages are broken in a similar manner? I'm not a big user of
> Google Chrome, so depend on my customers to report these breaks to me.
>
> Each of the following pages gets a specif CSP:
>
>> "enadis"
>> "useradm"
>> "chpasswd"
>> "ackinfo"
>> "acknowledge"
>> "criticaleditor"
>> "svcstatus-trends
>> "svcstatus-info"
>> "svcstatus"
>> "historylog"
>>
>
> svcstatus-info and -trends are special cases of the general purpose
> svcstatus case.
>
> I've done spot-checks of these other pages with my copy of Chrome and they
> seem to behave correctly. Anyone else wanna check their browser/OS
> combinations and report back?
>
>
> --
>    Do things because you should, not just because you can.
>
> John Thurston    907-465-8591
> John.Thurston at alaska.gov
> Department of Administration
> State of Alaska
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20171129/6d5aff24/attachment.html>


More information about the Xymon mailing list