On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.
Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.
Safari on macOS look like it's loading a page but doesn't get anywhere.
I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278
else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me.
Each of the following pages gets a specif CSP:
"enadis"
"useradm"
"chpasswd"
"ackinfo"
"acknowledge"
"criticaleditor"
"svcstatus-trends
"svcstatus-info"
"svcstatus"
"historylog"
svcstatus-info and -trends are special cases of the general purpose svcstatus case.
I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska