We have recently upgraded our monitoring server from 4.3.17 to 4.3.27 and now getting " is sandboxed, and the 'allow-scripts' keyword is not set." errors in modern Chrome for svcstatus.sh pages
Let me explain: Some our custom tests may generate large content with detailed technical information, which is not always required to show on web-page. monitoring test generate HTML content with DIV having style='display: none'
HTML content also contains <A HREF> element with java script function call to show DIV content on click (or hide on click again) Appropriate java script function is placed in page header - it was placed in HEAD element - in ./server/web/hostsvc_header ./server/web/histlog_header
so generated header is the following:
<HEAD> <META HTTP-EQUIV="REFRESH" CONTENT="60"> <META HTTP-EQUIV="EXPIRES" CONTENT="Sat, 01 Jan 2001 00:00:00 GMT"> <META HTTP-EQUIV="Set-Cookie" CONTENT="pagepath=; path=/"> <META HTTP-EQUIV="Set-Cookie" CONTENT="host=target-hostname; path=/"> <TITLE>yellow : Xymon - dbinvobj status forhost=target-hostname (10.*.*.*) @ Thu Jan 12 19:07:47 2017</TITLE>
<!-- Styles for the Xymon body --> <link rel="stylesheet" type="text/css" href="/xymon/gifs/xymonbody.css">
<!-- Styles for the menu bar --> <link rel="stylesheet" type="text/css" href="/xymon/menu/xymonmenu-blue.css">
<!-- The favicon image --> <link rel="shortcut icon" href="/xymon/gifs/favicon-yellow.ico">
<!-- CoMinder customisation --> <script language="JavaScript1.2" type="text/javascript"> function toggle_div(p_DivName,p_LinkName,p_showCaption,p_HideCaption) { var div_element = document.getElementById(p_DivName); var text = document.getElementById(p_LinkName); if(div_element.style.display == "block") { div_element.style.display = "none"; text.innerHTML = p_showCaption; } else { div_element.style.display = "block"; text.innerHTML = p_HideCaption; } } </script> <!-- end of CoMinder customisation -->
</HEAD>
It was working fine in 4.3.17 (really we still have one monitoring server of that version and it is working) In 4.3.27 - we get the following errors in latest Chrome and our java script function is not working (nothing happens)
Refused to execute the redirect specified via '<meta http-equiv='refresh' content='...'>'. The document is sandboxed, and the 'allow-scripts' keyword is not set.
Blocked script execution in 'https://myhostname:port/xymon-cgi/svcstatus.sh?HOST=target-hostname&SERVICE=...' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
Note: old Opera (before Chromium), old (2013) Chrome and more or less modern FireFox ESR does not have such problem.
I have found similar thread for [Xymon] 4.3.25 - ouch (reverting to 4.3.22), but not identical and it looks like final solution was not found. http://lists.xymon.com/archive/2016-February/043013.html
I have compared pages sources from XyMon 4.3.17 and 4.3.27 for the same content. and the difference is only 1 line, which IMHO should not affect - 1 menu item added in 4.3.27: <a class="inner" href="/xymon-cgi/acknowledgements.sh">Acknowledgements</a>
If I save both pages locally as HTML file and open in Chrome - java script function is working and there are no "sandboxed" errors.
Best regards,
Andrey Chervonets
SIA CoMinder http://www.cominder.eu/ mobile: +371 26517848