4.3.25 - ouch (reverting to 4.3.22)
list John Thurston
My testing of the release candidate was obviously inadequate. My phone rang off the hook after shipping 4.3.25 to my production server. I've reverted it to 4.3.22 while I try to get a handle on the changes. :: svcstatus refresh :: I didn't see any mention of this in the release notes, but the page is now being delivered with a 30-second _header_ refresh in place of a 60-second _meta_ refresh. I assume the change in method is related to XSS protection changes, but I don't know for sure. The shortening of the interval concerns me much more than the change in method. I'd prefer the darned page didn't refresh at all, but hard coding it to every half minute? Ouch. Ick. What's the business case here? Anyone who his visually monitoring a single info page can hit F5 when they want a refresh, can't they? :: XSS protections :: It looks like the XSS protection bits inserted into http headers
content-security-policy: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms; X-Content-Security-Policy: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms; X-Webkit-CSP: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;
has broken several functions for me. The most important things are the notes our operators use to figure out who to call. We insert some html into the DESCR tag of hosts.cfg. This appears on the "info" page as a link. The links are to static content served by the same Apache web server. The tags are of the form:
DESCR:"Important Server:<a href=/xymon/CNotes/ImportantServer target=Notes>Reference notes</a>"
With Firefox, the links work. With InternetExploder and Chrome, the links quietly fail to work. The Chrome console returns the error message: Blocked script execution in 'https://foo.bar.com/xymon- cgi/svcstatus.sh?HOST=bb.bar.com&SERVICE=info' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. Removing the "target" property from the A tag allows it to work. It overwrites the info page, but at least it works :p It feels like a step back to the 90's be forced into a single page that keeps getting replaced. I don't know enough about the "content security policy". What are my options to retain the named-window/tab capabilities? :: svcstatus disable function :: We are unable to enable/disable test from a host's "info" page. We can do so from enadis.sh, but this is a lot harder for many of our users. In Chrome, attempts to disable tests from the "info" page is generating the same "frame is sandboxed" messages. In Firefox, the attempts just don't do anything. There are messages in the console Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://x.foo.com";). so maybe the information necessary to build the form isn't even being loaded. -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Enterprise Technology Services Department of Administration State of Alaska
list Matt Vander Werf
I can confirm that the enable/disable functionality isn't working for me either when done from the info page. Selecting apply just doesn't do anything (using Firefox). In Chrome, I'm seeing the same error messages in the Chrome Console that John describes. I'm using the latest Terabithia RPMs for RHEL 7. I very much disagree with the idea of having to hit F5 every so often to see a refreshed Xymon page, rather then it refreshing automatically. If I have a Xymon page up on a monitor and then I am working on something else on another monitor, I don't want to have to go over to the browser on the other monitor and hit F5 every so often to refresh the page. I'd much rather it refresh every so often automatically, so then I just have to look over at the monitor every so often to look for any changes. Where exactly are you seeing this refresh change (just curious)? Why wouldn't you want it to refresh automatically? Isn't the idea to get the most up-to-date info possible? Personally, it doesn't matter to me whether it's every 60 seconds or every 30 seconds. 60 seconds worked just fine for me before. Maybe J.C. can elaborate more on why the change in the time interval happened. Thanks. -- Matt Vander Werf On Wed, Feb 10, 2016 at 4:23 PM, John Thurston <user-ce4d79d99bab@xymon.invalid>
▸
wrote:
My testing of the release candidate was obviously inadequate. My phone rang off the hook after shipping 4.3.25 to my production server. I've reverted it to 4.3.22 while I try to get a handle on the changes. :: svcstatus refresh :: I didn't see any mention of this in the release notes, but the page is now being delivered with a 30-second _header_ refresh in place of a 60-second _meta_ refresh. I assume the change in method is related to XSS protection changes, but I don't know for sure. The shortening of the interval concerns me much more than the change in method. I'd prefer the darned page didn't refresh at all, but hard coding it to every half minute? Ouch. Ick. What's the business case here? Anyone who his visually monitoring a single info page can hit F5 when they want a refresh, can't they? :: XSS protections :: It looks like the XSS protection bits inserted into http headerscontent-security-policy: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms; X-Content-Security-Policy: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms; X-Webkit-CSP: script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;has broken several functions for me. The most important things are the notes our operators use to figure out who to call. We insert some html into the DESCR tag of hosts.cfg. This appears on the "info" page as a link. The links are to static content served by the same Apache web server. The tags are of the form:DESCR:"Important Server:<a href=/xymon/CNotes/ImportantServer target=Notes>Reference notes</a>"With Firefox, the links work. With InternetExploder and Chrome, the links quietly fail to work. The Chrome console returns the error message: Blocked script execution in 'https://foo.bar.com/xymon- cgi/svcstatus.sh?HOST=bb.bar.com&SERVICE=info' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. Removing the "target" property from the A tag allows it to work. It overwrites the info page, but at least it works :p It feels like a step back to the 90's be forced into a single page that keeps getting replaced. I don't know enough about the "content security policy". What are my options to retain the named-window/tab capabilities? :: svcstatus disable function :: We are unable to enable/disable test from a host's "info" page. We can do so from enadis.sh, but this is a lot harder for many of our users. In Chrome, attempts to disable tests from the "info" page is generating the same "frame is sandboxed" messages. In Firefox, the attempts just don't do anything. There are messages in the console Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://x.foo.com";). so maybe the information necessary to build the form isn't even being loaded. -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Enterprise Technology Services Department of Administration State of Alaska
list John Thurston
On 2/10/2016 12:44 PM, Matt Vander Werf wrote: - snip -
▸
I very much disagree with the idea of having to hit F5 every so often to see a refreshed Xymon page, rather then it refreshing automatically. If I have a Xymon page up on a monitor and then I am working on something else on another monitor, I don't want to have to go over to the browser on the other monitor and hit F5 every so often to refresh the page. I'd much rather it refresh every so often automatically, so then I just have to look over at the monitor every so often to look for any changes. Where exactly are you seeing this refresh change (just curious)?
This refresh has been moved from the _meta_ content of the svchosts page the HTTP _header_ . As such, "view source" will no longer reveal it.
▸
Why wouldn't you want it to refresh automatically? Isn't the idea to get the most up-to-date info possible?
Not in all cases. I want the general pages of hosts (like xymon.html) to refresh periodically, but there is no need to have them auto-refresh faster than I am running xymongen. The issue I see is specifically with the "info" page produced by svcstatus.sh. I have it open when I'm studying a host for a specific reason. I would prefer that page not auto-refresh while I'm studying it trying to figure out a problem. If I want new information, I can refresh it. I might even want to keep it frozen and open a new copy in a new tab so I could compare the past and the present. Does anyone put a single host's "info" page on a screen and leave it there for general monitoring? If so, why? What problem does it solve that looking at the parent page of hosts does not?
▸
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska
list Matt Vander Werf
Ah. I didn't realize you were referring to the info page. No, I completely agree with you here in regards to the info page. My thoughts were more directed at actual status pages or other pages where colors/icons might change, which it seems like you're in agreement with me. Again, the refresh interval doesn't matter so much to me. However it was done previously worked just fine. -- Matt Vander Werf On Wed, Feb 10, 2016 at 5:02 PM, John Thurston <user-ce4d79d99bab@xymon.invalid>
▸
wrote:
On 2/10/2016 12:44 PM, Matt Vander Werf wrote: - snip -I very much disagree with the idea of having to hit F5 every so often to see a refreshed Xymon page, rather then it refreshing automatically. If I have a Xymon page up on a monitor and then I am working on something else on another monitor, I don't want to have to go over to the browser on the other monitor and hit F5 every so often to refresh the page. I'd much rather it refresh every so often automatically, so then I just have to look over at the monitor every so often to look for any changes. Where exactly are you seeing this refresh change (just curious)?This refresh has been moved from the _meta_ content of the svchosts page the HTTP _header_ . As such, "view source" will no longer reveal it. Why wouldn't you want it to refresh automatically? Isn't the idea to getthe most up-to-date info possible?Not in all cases. I want the general pages of hosts (like xymon.html) to refresh periodically, but there is no need to have them auto-refresh faster than I am running xymongen. The issue I see is specifically with the "info" page produced by svcstatus.sh. I have it open when I'm studying a host for a specific reason. I would prefer that page not auto-refresh while I'm studying it trying to figure out a problem. If I want new information, I can refresh it. I might even want to keep it frozen and open a new copy in a new tab so I could compare the past and the present. Does anyone put a single host's "info" page on a screen and leave it there for general monitoring? If so, why? What problem does it solve that looking at the parent page of hosts does not? -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Enterprise Technology Services Department of Administration State of Alaska
list Japheth Cleaver
On the refresh value, this was an unintentionally broad change. CSP sadly catches the META HTTP-EQUIV "Refresh" tag as well as something that is no longer honored, which requires moving it up into the actual HTTP headers. This updated version of the CSP patch (from the last email) does two things: 1) separate out info and trends pages from "regular" svcstatus pages. The former won't be auto-refreshed 2) adds a previously-referenced XYMWEBREFRESH variable, which can be used to configure this (default: 60s) Going from 60s to 30s was an error on my part. I'd actually thought that was the value for some reason... On info pages not allowing _targets, that's also something caught by CSP. The patch should fix this as well. Please verify if you can. Regards, -jc
▸
On Wed, February 10, 2016 2:02 pm, John Thurston wrote:On 2/10/2016 12:44 PM, Matt Vander Werf wrote: - snip -I very much disagree with the idea of having to hit F5 every so often to see a refreshed Xymon page, rather then it refreshing automatically. If I have a Xymon page up on a monitor and then I am working on something else on another monitor, I don't want to have to go over to the browser on the other monitor and hit F5 every so often to refresh the page. I'd much rather it refresh every so often automatically, so then I just have to look over at the monitor every so often to look for any changes. Where exactly are you seeing this refresh change (just curious)?This refresh has been moved from the _meta_ content of the svchosts page the HTTP _header_ . As such, "view source" will no longer reveal it.Why wouldn't you want it to refresh automatically? Isn't the idea to get the most up-to-date info possible?Not in all cases. I want the general pages of hosts (like xymon.html) to refresh periodically, but there is no need to have them auto-refresh faster than I am running xymongen. The issue I see is specifically with the "info" page produced by svcstatus.sh. I have it open when I'm studying a host for a specific reason. I would prefer that page not auto-refresh while I'm studying it trying to figure out a problem. If I want new information, I can refresh it. I might even want to keep it frozen and open a new copy in a new tab so I could compare the past and the present. Does anyone put a single host's "info" page on a screen and leave it there for general monitoring? If so, why? What problem does it solve that looking at the parent page of hosts does not? -- Do things because you should, not just because you can. John Thurston XXX-XXX-XXXX user-ce4d79d99bab@xymon.invalid Enterprise Technology Services Department of Administration State of Alaska
list John Thurston
▸
On 2/10/2016 1:14 PM, J.C. Cleaver wrote:
On the refresh value, this was an unintentionally broad change. CSP sadly catches the META HTTP-EQUIV "Refresh" tag as well as something that is no longer honored, which requires moving it up into the actual HTTP headers. This updated version of the CSP patch (from the last email) does two things: 1) separate out info and trends pages from "regular" svcstatus pages. The former won't be auto-refreshed 2) adds a previously-referenced XYMWEBREFRESH variable, which can be used to configure this (default: 60s) Going from 60s to 30s was an error on my part. I'd actually thought that was the value for some reason...
These patches are helping. Thank you!
▸
On info pages not allowing _targets, that's also something caught by CSP. The patch should fix this as well. Please verify if you can.
To let the "target=_blank" option work, I needed to add "allow-popups" to line 269 of lib/cgi.c
269 else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-popups;");▸
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska
list Japheth Cleaver
▸
On Wed, February 10, 2016 3:25 pm, John Thurston wrote:
On 2/10/2016 1:14 PM, J.C. Cleaver wrote:
1) separate out info and trends pages from "regular" svcstatus pages. The former won't be auto-refreshed 2) adds a previously-referenced XYMWEBREFRESH variable, which can be used to configure this (default: 60s) Going from 60s to 30s was an error on my part. I'd actually thought that was the value for some reason...These patches are helping. Thank you!On info pages not allowing _targets, that's also something caught by CSP. The patch should fix this as well. Please verify if you can.To let the "target=_blank" option work, I needed to add "allow-popups" to line 269 of lib/cgi.c269 else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-popups;");
Can you test with the following two patches? I believe these should take care of the outstanding issues. It seems like some versions of Chrome need the allow-modals permission as well. Regards, -jc
list John Thurston
▸
On 2/10/2016 6:52 PM, J.C. Cleaver wrote:
Can you test with the following two patches? I believe these should take care of the outstanding issues. It seems like some versions of Chrome need the allow-modals permission as well.
I've taken a fresh extract of the .25 tar and applied these two patches. I'm still testing, but it looks like: Chrome "48.0.2564.109 m" will do enable/disable from 'enadis.sh' but neither from 'svcstatus.sh?SERVICE=info' Internet Exploder 10 will do enable/disable from both locations I'm doing more testing, but thought I'd get this report in.
▸
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska
list John Thurston
▸
On 2/11/2016 9:48 AM, John Thurston wrote:
On 2/10/2016 6:52 PM, J.C. Cleaver wrote:Can you test with the following two patches? I believe these should take care of the outstanding issues. It seems like some versions of Chrome need the allow-modals permission as well.I've taken a fresh extract of the .25 tar and applied these two patches.
It looks like links (such as I embed in the DESCR tags) on 'svcstatus.sh?SERVICE=info' are not getting a referrer set on Chrome or Exploder. The referrer is present with FireFox. I suspect it is back with the "content-security-policy" again. I'll see if I can identify the required pixie dust.
▸
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska
list Japheth Cleaver
▸
On Thu, February 11, 2016 11:02 am, John Thurston wrote:
On 2/11/2016 9:48 AM, John Thurston wrote:On 2/10/2016 6:52 PM, J.C. Cleaver wrote:Can you test with the following two patches? I believe these should take care of the outstanding issues. It seems like some versions of Chrome need the allow-modals permission as well.I've taken a fresh extract of the .25 tar and applied these two patches.It looks like links (such as I embed in the DESCR tags) on 'svcstatus.sh?SERVICE=info' are not getting a referrer set on Chrome or Exploder. The referrer is present with FireFox. I suspect it is back with the "content-security-policy" again. I'll see if I can identify the required pixie dust.
Thanks. I've been trying with the 'referrer' policy as well, but nothing
seems to have an effect.
I'm really beginning to hate the modern web >.<
-jc