From a.chervonets@cominder.eu Wed Jun 24 08:24:14 2026
From: "A.Chervonets@cominder.eu" <a.chervonets@cominder.eu>
To: xymon@xymon.com
Subject: [Xymon] "sandboxed"  errors in 4.3.27
Date: Thu, 12 Jan 2017 19:34:44 +0200
Message-ID:
 <OFE50590F8.8ADE3994-ONC22580A6.005E5EB8-C22580A6.0060915D@cominder.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9046130824043154302=="

--===============9046130824043154302==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

We have recently upgraded our monitoring server from 4.3.17 to 4.3.27  and=20
now getting " is sandboxed, and the 'allow-scripts' keyword is not set."=20
errors in modern Chrome
for svcstatus.sh pages

Let me explain:
Some our custom tests may generate large content with detailed technical=20
information, which is not always required to show on web-page.
monitoring test generate HTML content with DIV having  style=3D'display:=20
none'=20

HTML content also contains <A HREF> element with java script function call=20
to show DIV content on click (or hide on click again)
Appropriate java script function is placed in page header  - it was placed=20
in HEAD element - in=20
./server/web/hostsvc_header
./server/web/histlog_header

so generated header is the following:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<HEAD>
<META HTTP-EQUIV=3D"REFRESH" CONTENT=3D"60">
<META HTTP-EQUIV=3D"EXPIRES" CONTENT=3D"Sat, 01 Jan 2001 00:00:00 GMT">
<META HTTP-EQUIV=3D"Set-Cookie" CONTENT=3D"pagepath=3D; path=3D/">
<META HTTP-EQUIV=3D"Set-Cookie" CONTENT=3D"host=3Dtarget-hostname; path=3D/">
<TITLE>yellow : Xymon - dbinvobj status forhost=3Dtarget-hostname (10.*.*.*) =

@ Thu Jan 12 19:07:47 2017</TITLE>

<!-- Styles for the Xymon body  -->
<link rel=3D"stylesheet" type=3D"text/css" href=3D"/xymon/gifs/xymonbody.css">

<!-- Styles for the menu bar -->
<link rel=3D"stylesheet" type=3D"text/css"=20
href=3D"/xymon/menu/xymonmenu-blue.css">

<!-- The favicon image -->
<link rel=3D"shortcut icon" href=3D"/xymon/gifs/favicon-yellow.ico">

<!-- CoMinder customisation -->
<script language=3D"JavaScript1.2" type=3D"text/javascript">
function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) {
        var div_element =3D document.getElementById(p_DivName);
        var text =3D document.getElementById(p_LinkName);
        if(div_element.style.display =3D=3D "block") {
    div_element.style.display =3D "none";
                text.innerHTML =3D p_showCaption;
        }
        else {
                div_element.style.display =3D "block";
                text.innerHTML =3D p_HideCaption;
        }
}
</script>
<!-- end of CoMinder customisation -->

</HEAD>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


It was working fine in 4.3.17 (really we still have one monitoring server=20
of that version and it is working)
In 4.3.27 - we get the following errors in latest Chrome  and our java=20
script function is not working (nothing happens)


1)
Refused to execute the redirect specified via '<meta http-equiv=3D'refresh'=20
content=3D'...'>'. The document is sandboxed, and the 'allow-scripts'=20
keyword is not set.

2)=20
Blocked script execution in=20
'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=3Dtarget-hostname&SERVIC=
E=3Dcustmetric'=20
because the document's frame is sandboxed and the 'allow-scripts'=20
permission is not set.


Note: old Opera (before Chromium), old (2013) Chrome and more or less=20
modern FireFox ESR does not have such problem.


I have found similar thread for  [Xymon] 4.3.25 - ouch (reverting to=20
4.3.22), but not identical and it looks like final solution was not found.
http://lists.xymon.com/archive/2016-February/043013.html

I have compared pages sources from XyMon  4.3.17  and  4.3.27  for the=20
same content.
and the difference is only 1 line, which IMHO should not affect - 1 menu=20
item added in 4.3.27:
<a class=3D"inner"=20
href=3D"/xymon-cgi/acknowledgements.sh">Acknowledgements</a>

If I save both pages locally as HTML file and open in Chrome - java script=20
function is working and there are no "sandboxed"  errors.


Best regards,

Andrey Chervonets
----------------------
SIA CoMinder
http://www.cominder.eu/
mobile: +371 26517848

=20


--===============9046130824043154302==--


From cleaver@terabithia.org Wed Jun 24 08:24:14 2026
From: cleaver@terabithia.org
To: xymon@xymon.com
Subject: [Xymon] "sandboxed" errors in 4.3.27
Date: Thu, 12 Jan 2017 10:12:20 -0800
Message-ID: <ad234c88-f0c6-4e38-b7dd-03a4b1bcc7fb@terabithia.org>
In-Reply-To:
 <OFE50590F8.8ADE3994-ONC22580A6.005E5EB8-C22580A6.0060915D@cominder.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7869946867350894161=="

--===============7869946867350894161==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On 1/12/2017 9:34 AM, Andrey Chervonets wrote:
> We have recently upgraded our monitoring server from 4.3.17 to 4.3.27=20
>  and now getting " is sandboxed, and the 'allow-scripts' keyword is=20
> not set." errors in modern Chrome
> for svcstatus.sh pages
>
> Let me explain:
> Some our custom tests may generate large content with detailed=20
> technical information, which is not always required to show on web-page.
> monitoring test generate HTML content with DIV having style=3D'display:=20
> none'
>
> HTML content also contains <A HREF> element with java script function=20
> call to show DIV content on click (or hide on click again)
> Appropriate java script function is placed in page header  - it was=20
> placed in HEAD element - in
> ./server/web/hostsvc_header
> ./server/web/histlog_header
>
> so generated header is the following:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> <HEAD>
> <META HTTP-EQUIV=3D"REFRESH" CONTENT=3D"60">
> <META HTTP-EQUIV=3D"EXPIRES" CONTENT=3D"Sat, 01 Jan 2001 00:00:00 GMT">
> <META HTTP-EQUIV=3D"Set-Cookie" CONTENT=3D"pagepath=3D; path=3D/">
> <META HTTP-EQUIV=3D"Set-Cookie" CONTENT=3D"host=3Dtarget-hostname; path=3D/=
">
> <TITLE>yellow : Xymon - dbinvobj status forhost=3Dtarget-hostname=20
> (10.*.*.*) @ Thu Jan 12 19:07:47 2017</TITLE>
>
> <!-- Styles for the Xymon body  -->
> <link rel=3D"stylesheet" type=3D"text/css" href=3D"/xymon/gifs/xymonbody.cs=
s">
>
> <!-- Styles for the menu bar -->
> <link rel=3D"stylesheet" type=3D"text/css"=20
> href=3D"/xymon/menu/xymonmenu-blue.css">
>
> <!-- The favicon image -->
> <link rel=3D"shortcut icon" href=3D"/xymon/gifs/favicon-yellow.ico">
>
> <!-- CoMinder customisation -->
> <script language=3D"JavaScript1.2" type=3D"text/javascript">
> function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) {
>         var div_element =3D document.getElementById(p_DivName);
>         var text =3D document.getElementById(p_LinkName);
> if(div_element.style.display =3D=3D "block") {
>     div_element.style.display =3D "none";
>     text.innerHTML =3D p_showCaption;
>         }
>         else {
>     div_element.style.display =3D "block";
>     text.innerHTML =3D p_HideCaption;
>         }
> }
> </script>
> <!-- end of CoMinder customisation -->
>
> </HEAD>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
>
> It was working fine in 4.3.17 (really we still have one monitoring=20
> server of that version and it is working)
> In 4.3.27 - we get the following errors in latest Chrome  and our java=20
> script function is not working (nothing happens)
>
>
> 1)
> Refused to execute the redirect specified via '<meta=20
> http-equiv=3D'refresh' content=3D'...'>'. The document is sandboxed, and=20
> the 'allow-scripts' keyword is not set.
>
> 2)
> Blocked script execution in=20
> 'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=3Dtarget-hostname&SERV=
ICE=3Dcustmetric'because=20
> the document's frame is sandboxed and the 'allow-scripts' permission=20
> is not set.
>
>
> Note: old Opera (before Chromium), old (2013) Chrome and more or less=20
> modern FireFox ESR does not have such problem.
>
>
> I have found similar thread for  [Xymon] 4.3.25 - ouch (reverting to=20
> 4.3.22), but not identical and it looks like final solution was not=20
> found.
> http://lists.xymon.com/archive/2016-February/043013.html
>
> I have compared pages sources from XyMon  4.3.17  and  4.3.27  for the=20
> same content.
> and the difference is only 1 line, which IMHO should not affect - 1=20
> menu item added in 4.3.27:
> <a class=3D"inner"=20
> href=3D"/xymon-cgi/acknowledgements.sh">Acknowledgements</a>
>
> If I save both pages locally as HTML file and open in Chrome - java=20
> script function is working and there are no "sandboxed"  errors.

Hi,

Yes, this was part of the anti-XSS/CSP fix that went into 4.3.25. There=20
were some initial problems, but I believe we resolved those issues=20
completely within 4.3.26.

The headers in question are generated at the CGI layer rather than in=20
the templates, which is why you don't see much of a change there.

You can bypass this generation by setting the "XYMON_NOCSPHEADER"=3D=20
variable to something non-empty in xymonserver.cfg on your xymongen=20
server. This should only be done on systems you feel comfortable with=20
the integrity of the clients of, as it allows arbitrary javascript to be=20
returned in status and client messages (cf.=20
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-2058)

HTH,
-jc

--===============7869946867350894161==--


From a.chervonets@cominder.eu Wed Jun 24 08:24:14 2026
From: "A.Chervonets@cominder.eu" <a.chervonets@cominder.eu>
To: xymon@xymon.com
Subject: [Xymon] "sandboxed" errors in 4.3.27
Date: Thu, 12 Jan 2017 23:49:13 +0200
Message-ID:
 <OFD5A6FF2A.B531A1A0-ONC22580A6.0076DD1C-C22580A6.0077D33A@cominder.eu>
In-Reply-To: <ad234c88-f0c6-4e38-b7dd-03a4b1bcc7fb@terabithia.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2806216189068250319=="

--===============2806216189068250319==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Thank You!

Setting the XYMON_NOCSPHEADER - fixed the trouble.

In this case the clients are relatively safe.=20


Best regards,

Andrey Chervonets
----------------------
SIA CoMinder
http://www.cominder.eu/





From:   Japheth Cleaver <cleaver at terabithia.org>
To:     Andrey Chervonets <A.Chervonets at cominder.eu>, xymon at xymon.com
Date:   12.01.2017 20:12
Subject:        Re: [Xymon] "sandboxed" errors in 4.3.27



On 1/12/2017 9:34 AM, Andrey Chervonets wrote:
We have recently upgraded our monitoring server from 4.3.17 to 4.3.27  and=20
now getting " is sandboxed, and the 'allow-scripts' keyword is not set."=20
errors in modern Chrome=20
for svcstatus.sh pages=20

Let me explain:=20
Some our custom tests may generate large content with detailed technical=20
information, which is not always required to show on web-page.=20
monitoring test generate HTML content with DIV having  style=3D'display:=20
none'=20

HTML content also contains <A HREF> element with java script function call=20
to show DIV content on click (or hide on click again)=20
Appropriate java script function is placed in page header  - it was placed=20
in HEAD element - in=20
./server/web/hostsvc_header=20
./server/web/histlog_header=20

so generated header is the following:=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
<HEAD>=20
<META HTTP-EQUIV=3D"REFRESH" CONTENT=3D"60">=20
<META HTTP-EQUIV=3D"EXPIRES" CONTENT=3D"Sat, 01 Jan 2001 00:00:00 GMT">=20
<META HTTP-EQUIV=3D"Set-Cookie" CONTENT=3D"pagepath=3D; path=3D/">=20
<META HTTP-EQUIV=3D"Set-Cookie" CONTENT=3D"host=3Dtarget-hostname; path=3D/">=
=20
<TITLE>yellow : Xymon - dbinvobj status forhost=3Dtarget-hostname (10.*.*.*) =

@ Thu Jan 12 19:07:47 2017</TITLE>=20

<!-- Styles for the Xymon body  -->=20
<link rel=3D"stylesheet" type=3D"text/css" href=3D"/xymon/gifs/xymonbody.css"=
>=20

<!-- Styles for the menu bar -->=20
<link rel=3D"stylesheet" type=3D"text/css"=20
href=3D"/xymon/menu/xymonmenu-blue.css">=20

<!-- The favicon image -->=20
<link rel=3D"shortcut icon" href=3D"/xymon/gifs/favicon-yellow.ico">=20

<!-- CoMinder customisation -->=20
<script language=3D"JavaScript1.2" type=3D"text/javascript">=20
function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) {=20
        var div_element =3D document.getElementById(p_DivName);=20
        var text =3D document.getElementById(p_LinkName);=20
        if(div_element.style.display =3D=3D "block") {=20
    div_element.style.display =3D "none";=20
                text.innerHTML =3D p_showCaption;=20
        }=20
        else {=20
                div_element.style.display =3D "block";=20
                text.innerHTML =3D p_HideCaption;=20
        }=20
}=20
</script>=20
<!-- end of CoMinder customisation -->=20

</HEAD>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20


It was working fine in 4.3.17 (really we still have one monitoring server=20
of that version and it is working)=20
In 4.3.27 - we get the following errors in latest Chrome  and our java=20
script function is not working (nothing happens)=20


1)=20
Refused to execute the redirect specified via '<meta http-equiv=3D'refresh'=20
content=3D'...'>'. The document is sandboxed, and the 'allow-scripts'=20
keyword is not set.=20

2)=20
Blocked script execution in=20
'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=3Dtarget-hostname&SERVIC=
E=3Dcustmetric'because=20
the document's frame is sandboxed and the 'allow-scripts' permission is=20
not set.=20


Note: old Opera (before Chromium), old (2013) Chrome and more or less=20
modern FireFox ESR does not have such problem.=20


I have found similar thread for  [Xymon] 4.3.25 - ouch (reverting to=20
4.3.22), but not identical and it looks like final solution was not found.=20

http://lists.xymon.com/archive/2016-February/043013.html=20

I have compared pages sources from XyMon  4.3.17  and  4.3.27  for the=20
same content.=20
and the difference is only 1 line, which IMHO should not affect - 1 menu=20
item added in 4.3.27:=20
<a class=3D"inner"=20
href=3D"/xymon-cgi/acknowledgements.sh">Acknowledgements</a>=20

If I save both pages locally as HTML file and open in Chrome - java script=20
function is working and there are no "sandboxed"  errors.=20

Hi,

Yes, this was part of the anti-XSS/CSP fix that went into 4.3.25. There=20
were some initial problems, but I believe we resolved those issues=20
completely within 4.3.26.

The headers in question are generated at the CGI layer rather than in the=20
templates, which is why you don't see much of a change there.=20

You can bypass this generation by setting the "XYMON_NOCSPHEADER"=3D=20
variable to something non-empty in xymonserver.cfg on your xymongen=20
server. This should only be done on systems you feel comfortable with the=20
integrity of the clients of, as it allows arbitrary javascript to be=20
returned in status and client messages (cf.=20
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-2058)

HTH,
-jc


--===============2806216189068250319==--