Problems with Content Security Policy in Safari, Chrome, and IE
list Jonathan Trott
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11. Problem occurs on the trends page. https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load. Safari on macOS look like it's loading a page but doesn't get anywhere. Safari on iOS does nothing at all when you tap the button. The console in Safari reveals the following error: Refused to load https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends&backdays=48&backhours=&backmins=&backsecs=&FROMTIME=&TOTIME= because it does not appear in the form-action directive of the Content Security Policy. Checking the headers shows this content security policy: Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts; I'm not that well versed in the CSP stuff, but I note that it also fails with the same error in the latest Chrome 62.0.3202.89, and in Internet Explorer 11.0.9600.18817 (no error logged), but works in the latest Firefox 56.0.2. Has anyone else run into this issue, or has any more information on how I can modify the CSP headers to test? I tried using Header set Content-Security-Policy in apache but that seems to add an improperly formatted addition to the rules rather than overwriting them. Thanks, JT
list John Thurston
▸
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Has anyone else run into this issue, or has any more information on how I can modify the CSP headers to test?
I suspect google Chrome has just changed some of their requirements, because I got a call on a different CSP issue a couple of days ago.
Changing the CSP header information isn't straight forward in Xymon. In this case, it is defined in lib/cgi.c, between lines 200 and 300. If you want to _really_ change these things, you'll need to patch the file and rebuild.
If you'd like to test the required changes before doing so, you can set
XYMON_NOCSPHEADER="TRUE"
in xymonserver.cfg With this is set, xymon will not create any CSP response headers. You may then use mod_header in Apache to set whatever values you'd like.
Note: My experience is on solaris, so not with the terabithia builds.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska
list John Thurston
▸
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11. Problem occurs on the trends page. https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=trends If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load. Safari on macOS look like it's loading a page but doesn't get anywhere.
I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278
else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me. Each of the following pages gets a specif CSP:
"enadis" "useradm" "chpasswd" "ackinfo" "acknowledge" "criticaleditor" "svcstatus-trends "svcstatus-info" "svcstatus" "historylog"
svcstatus-info and -trends are special cases of the general purpose svcstatus case. I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?
▸
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska
list John Thurston
I propose the following patch to correct the broken form submission on the trends page:
--- ./xymon-4.3.28/lib/cgi.c-4.3.28 Thu Mar 3 14:44:55 2016
+++ ./xymon-4.3.28/lib/cgi.c Mon Nov 13 09:43:38 2017
@@ -275,7 +275,7 @@
else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
▸
- else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts;");
+ else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;");
else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;");
else if (strncmp(str, "historylog", 10) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;");Has anyone found other incorrect CSP headers ?
▸
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska
list Jonathan Trott
Hi John. I haven't see the issue on any other pages, so your patch should hopefully fix the issue. Thanks, JT John Thurston <user-ce4d79d99bab@xymon.invalid> wrote on 14/11/2017 05:58:30:
▸
I propose the following patch to correct the broken form submission on the trends page:--- ./xymon-4.3.28/lib/cgi.c-4.3.28 Thu Mar 3 14:44:55 2016 +++ ./xymon-4.3.28/lib/cgi.c Mon Nov 13 09:43:38 2017 @@ -275,7 +275,7 @@
else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';");else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
▸
else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); - else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =
strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form- action 'self'; sandbox allow-forms allow-scripts;"); + else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form- action 'self'; sandbox allow-forms allow-scripts allow-same-origin;"); else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form- action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;"); else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;");else if (strncmp(str, "historylog", 10) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox
▸
allow-forms;");
Has anyone found other incorrect CSP headers ?
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska
list Thomas Eckert
Sorry for being late to the party. I can confirm that the proposed patch work w/ 4.3.28 (on Raspbian) and fixes the “cannot use trends-form with Chrome browser”-issue. Should be applied. JC? All the best Thomas
▸
On 13 Nov 2017, at 19:58, John Thurston <user-ce4d79d99bab@xymon.invalid> wrote: I propose the following patch to correct the broken form submission on the trends page:--- ./xymon-4.3.28/lib/cgi.c-4.3.28 Thu Mar 3 14:44:55 2016 +++ ./xymon-4.3.28/lib/cgi.c Mon Nov 13 09:43:38 2017 @@ -275,7 +275,7 @@ else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); - else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts;"); + else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;"); else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;"); else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;"); else if (strncmp(str, "historylog", 10) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;");Has anyone found other incorrect CSP headers ? Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Department of Administration State of Alaska
list Peter Welter
Hi, I experience the same issue on MacOS (High Sierra) with the browsers: - Safari (Versie 11.0.1 (13604.3.5)) and - Chrome Versie 62.0.3202.94 (Officiële build) (64-bits). No problems with: - Firefox (57.0 (64-bit)), I will try the setting: XYMON_NOCSPHEADER="TRUE" -- Peter 2017-11-09 20:26 GMT+01:00 John Thurston <user-ce4d79d99bab@xymon.invalid>:
▸
On 11/8/2017 7:40 PM, Jonathan Trott wrote:Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11. Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host .com.au&SERVICE=trends
▸
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load. Safari on macOS look like it's loading a page but doesn't get anywhere.I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278 else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me. Each of the following pages gets a specif CSP:"enadis" "useradm" "chpasswd" "ackinfo" "acknowledge" "criticaleditor" "svcstatus-trends "svcstatus-info" "svcstatus" "historylog"svcstatus-info and -trends are special cases of the general purpose svcstatus case. I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back? -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Department of Administration State of Alaska
list John Thurston
On 11/29/2017 3:22 AM, Peter Welter wrote:
I will try the setting: XYMON_NOCSPHEADER="TRUE"
This will bypass the problem by suppressing all CSP headers on those pages. This will leave those pages and forms vulnerable to Cross-Site hacks; intentional, accidental, and incidental. It may also fail to work on near-future browser releases. I wouldn't consider "NOCSPHEADER" to be anything more than a troubleshooting flag. It's just to easy for content from the clients to make its way onto pages.
▸
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska
list Japheth Cleaver
I can confirm that this update fixes the issue on the browsers I've tested as well. Thanks, John for identifying the issue here. Will be issuing a release update tonight. Regards, -jc
▸
On 11/29/2017 4:18 AM, Thomas Eckert wrote:Sorry for being late to the party. I can confirm that the proposed patch work w/ 4.3.28 (on Raspbian) and fixes the “cannot use trends-form with Chrome browser”-issue. Should be applied. JC? All the best ThomasOn 13 Nov 2017, at 19:58, John Thurston <user-ce4d79d99bab@xymon.invalid> wrote: I propose the following patch to correct the broken form submission on the trends page:--- ./xymon-4.3.28/lib/cgi.c-4.3.28 Thu Mar 3 14:44:55 2016 +++ ./xymon-4.3.28/lib/cgi.c Mon Nov 13 09:43:38 2017 @@ -275,7 +275,7 @@ else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); - else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts;"); + else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;"); else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;"); else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;"); else if (strncmp(str, "historylog", 10) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;");Has anyone found other incorrect CSP headers ? Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Department of Administration State of Alaska
list Rene H Hansen
Hello John Please let me know if I should send to mailinglist. This my first call for help. I'm having trouble with enadis. I'm not sure if it's completely the same as you describe here but it looks similar. We have installed xymon-4.3.28-1.el7.x86_64.rpm (terabithia.org) If I need to play with changing cgi.c and recompiling will make install reinstall without need for changes? When we try to run enadis from either info og from Enable/disable menu we get the following error in xymon-error.log [Tue Mar 20 16:54:05.786245 2018] [cgi:error] [pid 9121] [client 172.28.56.243:60696] AH01215: 2018-03-20 16:54:05.786123 Enadis POST that is not coming from self or svcstatus (referer=https://xxxyyy.dk/xymon-seccgi/enadis.sh). Ignoring., referer: https:// xxxyyy.dk/xymon-seccgi/enadis.sh I have tried to set XYMON_NOCSPHEADER="true" in either xymonserver.cfg or /etc/xymon/cgioptions.cfg but is doesn’t seem to make a difference We have a httpd proxy in front were I had csp configured – but have tried to uncomment it and still gets the same error. I have testet with Firefox 59.0 and Chrome (64.0.3282.186) where javascript doesn’t work with “Enable/disable menu” – and iexplorer (11.0.51) (if I want to test directly without httpd/proxy I only have iexplorer v8) (httpd/proxy ) #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" #Header always set X-Frame-Options "SAMEORIGIN" #Header always set X-Content-Type-Options "nosniff" #Header always unset Content-Security-Policy #Header always set Content-Security-Policy "xdwsscript-src 'self'" #Header always set X-XSS-Protection "1; mode=block" #Header always set Referrer-Policy "no-referrer" #Header unset Server #Header set X-Frame-Options "DENY" SSLProxyEngine on #ProxyPreserveHost On ServerName xxxyy.dk SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire on ProxyPass /xymon https://xxxyyy.dk:443/xymon ProxyPassReverse /xymon https://xxx.xxx.xxx.xxx:443/xymon ProxyPass /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi ProxyPassReverse /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi ProxyPass /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/ ProxyPassReverse /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/ RENÉ HOIELT HANSEN Senior Prof. Middleware System Engineer (EA&I) DXC Technology Retortvej 8, DK - 2500 Valby, Denmark, I-1-356 Mobile: +XX XXXX XXXX Email: user-9536c738120c@xymon.invalid Leave information in advance: : Out of office both days included
▸
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of John Thurston
Sent: 9. november 2017 20:26
To: xymon at xymon.com
Subject: Re: [Xymon] Problems with Content Security Policy in Safari, Chrome, and IE
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.
Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SE
RVICE=trends
▸
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.
Safari on macOS look like it's loading a page but doesn't get anywhere.
I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278
else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =
strdup("script-src 'self' 'unsafe-inline'; connect-src 'self';form-action 'self'; sandbox allow-forms allow-scripts
allow-same-origin;");
How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me. Each of the following pages gets a specif CSP:
"enadis"
"useradm"
"chpasswd"
"ackinfo"
"acknowledge"
"criticaleditor"
"svcstatus-trends
"svcstatus-info"
"svcstatus"
"historylog"
svcstatus-info and -trends are special cases of the general purpose svcstatus case.
I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid<mailto:user-ce4d79d99bab@xymon.invalid>
Department of Administration
State of Alaska
CSC Danmark A/S - Registered Office: Retortvej 8, DK - 2500 Valby, Denmark - Registered in Denmark No: 15231599.
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
list John Thurston
I doubt this error is being caused by the CSP settings. I believe those settings are interpreted by the web browser. I suspect this is caused by mismatch between the name published on your proxy and the name known by the xymon server. Take a look in enadis.c. Lines 78-84 detect and print the error message you see. Line 82 contains the text: return; /* Just display, don't do anything */ which makes me think it is not affecting the behavior. Only throwing a message in the logs.
▸
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska
On 3/21/2018 4:18 AM, Hansen, Rene H wrote:[Tue Mar 20 16:54:05.786245 2018] [cgi:error] [pid 9121] [client 172.28.56.243:60696] AH01215: 2018-03-20 16:54:05.786123 Enadis POST that is not coming from self or svcstatus (referer=https://xxxyyy.dk/xymon-seccgi/enadis.sh). Ignoring., referer: https://xxxyyy.dk/xymon-seccgi/enadis.sh
list John Rothlisberger
I am now having this error on one of my many Xymon servers – newly built Ubuntu 16.04LTS. I have tried making some changes in apache to no avail and so far I haven’t found anything in the config file to change this. Ideas/thoughts? [Tue Jul 17 15:16:16.820076 2018] [cgi:error] [pid 21003:tid 140629812131584] [client x.x.x.x:44224] AH01215: 2018-07-17 15:16:16.819794 Enadis POST that is not coming from self or svcstatus (referer=https://x.x.x/xymon-cgi/enadis.sh). Ignoring.: /home/xymon/cgi-bin/enadis.sh, referer: https://x.x.x/xymon-cgi/enadis.sh Thanks, John
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Hansen, Rene H Sent: Wednesday, March 21, 2018 7:19 AM To: John Thurston <user-ce4d79d99bab@xymon.invalid>; xymon at xymon.com Subject: [External] Re: [Xymon] Problems with Content Security Policy in Safari, Chrome, and IE Hello John Please let me know if I should send to mailinglist. This my first call for help. I'm having trouble with enadis. I'm not sure if it's completely the same as you describe here but it looks similar. We have installed xymon-4.3.28-1.el7.x86_64.rpm (terabithia.org) If I need to play with changing cgi.c and recompiling will make install reinstall without need for changes? When we try to run enadis from either info og from Enable/disable menu we get the following error in xymon-error.log [Tue Mar 20 16:54:05.786245 2018] [cgi:error] [pid 9121] [client 172.28.56.243:60696] AH01215: 2018-03-20 16:54:05.786123 Enadis POST that is not coming from self or svcstatus (referer=https://xxxyyy.dk/xymon-seccgi/enadis.sh). Ignoring., referer: https:// xxxyyy.dk/xymon-seccgi/enadis.sh I have tried to set XYMON_NOCSPHEADER="true" in either xymonserver.cfg or /etc/xymon/cgioptions.cfg but is doesn’t seem to make a difference We have a httpd proxy in front were I had csp configured – but have tried to uncomment it and still gets the same error. I have testet with Firefox 59.0 and Chrome (64.0.3282.186) where javascript doesn’t work with “Enable/disable menu” – and iexplorer (11.0.51) (if I want to test directly without httpd/proxy I only have iexplorer v8) (httpd/proxy ) #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" #Header always set X-Frame-Options "SAMEORIGIN" #Header always set X-Content-Type-Options "nosniff" #Header always unset Content-Security-Policy #Header always set Content-Security-Policy "xdwsscript-src 'self'" #Header always set X-XSS-Protection "1; mode=block" #Header always set Referrer-Policy "no-referrer" #Header unset Server #Header set X-Frame-Options "DENY" SSLProxyEngine on #ProxyPreserveHost On ServerName xxxyy.dk SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire on ProxyPass /xymon https://xxxyyy.dk:443/xymon ProxyPassReverse /xymon https://xxx.xxx.xxx.xxx:443/xymon ProxyPass /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi ProxyPassReverse /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi ProxyPass /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/ ProxyPassReverse /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/ RENÉ HOIELT HANSEN Senior Prof. Middleware System Engineer (EA&I) DXC Technology Retortvej 8, DK - 2500 Valby, Denmark, I-1-356 Mobile: +XX XXXX XXXX
Email: user-9536c738120c@xymon.invalid<mailto:user-9536c738120c@xymon.invalid>
▸
Leave information in advance: : Out of office both days included
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of John Thurston
Sent: 9. november 2017 20:26
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: Re: [Xymon] Problems with Content Security Policy in Safari, Chrome, and IE
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.
Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SE<https://urldefense.proofpoint.com/v2/url?u=https-3A__xymon.domain.com.au_xymon-2Dcgi_svcstatus.sh-3FHOST-3Dhost.com.au-26SE&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=-wgc4FYM8JKYI7ALjLgnnAXACNO4yqsbriNjpp4jQNA&s=tllkfnhPoE13cLO_V2ePcw4b17_lh_tpUEHgBmpmaQI&e=>;
▸
RVICE=trends
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.
Safari on macOS look like it's loading a page but doesn't get anywhere.
I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278
else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =
strdup("script-src 'self' 'unsafe-inline'; connect-src 'self';form-action 'self'; sandbox allow-forms allow-scripts
allow-same-origin;");
How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me. Each of the following pages gets a specif CSP:
"enadis"
"useradm"
"chpasswd"
"ackinfo"
"acknowledge"
"criticaleditor"
"svcstatus-trends
"svcstatus-info"
"svcstatus"
"historylog"
svcstatus-info and -trends are special cases of the general purpose svcstatus case.
I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid<mailto:user-ce4d79d99bab@xymon.invalid>
Department of Administration
State of Alaska
Xymon at xymon.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=-wgc4FYM8JKYI7ALjLgnnAXACNO4yqsbriNjpp4jQNA&s=KxVtWNNqoixKWbr2YVauuhFS-0Tnres2pZW1sOdKFuw&e=>;
▸
CSC Danmark A/S - Registered Office: Retortvej 8, DK - 2500 Valby, Denmark - Registered in Denmark No: 15231599.
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com