Proposed patch for broken CSP

Hi John.

I haven't see the issue on any other pages, so your patch should hopefully 
fix the issue.

Thanks,
JT

John Thurston <user-ce4d79d99bab@xymon.invalid> wrote on 14/11/2017 05:58:30:

I propose the following patch to correct the broken form submission on 
the trends page:

--- ./xymon-4.3.28/lib/cgi.c-4.3.28   Thu Mar   3 14:44:55 2016
+++ ./xymon-4.3.28/lib/cgi.c   Mon Nov 13 09:43:38 2017
@@ -275,7 +275,7 @@
   else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup

("script-src 'self'; connect-src 'self'; form-action 'self';");

   else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup

("script-src 'self'; connect-src 'self'; form-action 'self';");

   else if (strncmp(str, "criticaleditor", 14) == 0) csppol = 
strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
-   else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = 
strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-
action 'self'; sandbox allow-forms allow-scripts;");
+   else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = 
strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-
action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
   else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = 
strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-
action 'self'; sandbox allow-forms allow-same-origin allow-scripts 
allow-modals allow-popups;");
   else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup

("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox
allow-forms allow-same-origin;");

   else if (strncmp(str, "historylog", 10) == 0) csppol = strdup

("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox
allow-forms;");

Has anyone found other incorrect CSP headers ?

    Do things because you should, not just because you can.

John Thurston    XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska