Problems with Content Security Policy in Safari, Chrome, and IE
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11. Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=...
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load. Safari on macOS look like it's loading a page but doesn't get anywhere. Safari on iOS does nothing at all when you tap the button.
The console in Safari reveals the following error:
Refused to load https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=... because it does not appear in the form-action directive of the Content Security Policy.
Checking the headers shows this content security policy:
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts;
I'm not that well versed in the CSP stuff, but I note that it also fails with the same error in the latest Chrome 62.0.3202.89, and in Internet Explorer 11.0.9600.18817 (no error logged), but works in the latest Firefox 56.0.2.
Has anyone else run into this issue, or has any more information on how I can modify the CSP headers to test?
I tried using Header set Content-Security-Policy in apache but that seems to add an improperly formatted addition to the rules rather than overwriting them.
Thanks, JT
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Has anyone else run into this issue, or has any more information on how I can modify the CSP headers to test?
I suspect google Chrome has just changed some of their requirements, because I got a call on a different CSP issue a couple of days ago.
Changing the CSP header information isn't straight forward in Xymon. In this case, it is defined in lib/cgi.c, between lines 200 and 300. If you want to _really_ change these things, you'll need to patch the file and rebuild.
If you'd like to test the required changes before doing so, you can set XYMON_NOCSPHEADER="TRUE" in xymonserver.cfg With this is set, xymon will not create any CSP response headers. You may then use mod_header in Apache to set whatever values you'd like.
Note: My experience is on solaris, so not with the terabithia builds.
Do things because you should, not just because you can.John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11. Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SERVICE=...
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load. Safari on macOS look like it's loading a page but doesn't get anywhere.
I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278
else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me.
Each of the following pages gets a specif CSP:
"enadis" "useradm" "chpasswd" "ackinfo" "acknowledge" "criticaleditor" "svcstatus-trends "svcstatus-info" "svcstatus" "historylog"
svcstatus-info and -trends are special cases of the general purpose svcstatus case.
I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska
I propose the following patch to correct the broken form submission on the trends page:
--- ./xymon-4.3.28/lib/cgi.c-4.3.28 Thu Mar 3 14:44:55 2016 +++ ./xymon-4.3.28/lib/cgi.c Mon Nov 13 09:43:38 2017 @@ -275,7 +275,7 @@ else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); - else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts;"); + else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;"); else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;"); else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;"); else if (strncmp(str, "historylog", 10) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;");
Has anyone found other incorrect CSP headers ? Do things because you should, not just because you can. John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska
Hi John. I haven't see the issue on any other pages, so your patch should hopefully fix the issue. Thanks, JT John Thurston <john.thurston at alaska.gov> wrote on 14/11/2017 05:58:30:
I propose the following patch to correct the broken form submission on the trends page:
--- ./xymon-4.3.28/lib/cgi.c-4.3.28 Thu Mar 3 14:44:55 2016 +++ ./xymon-4.3.28/lib/cgi.c Mon Nov 13 09:43:38 2017 @@ -275,7 +275,7 @@ else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup ("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup ("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); - else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form- action 'self'; sandbox allow-forms allow-scripts;"); + else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form- action 'self'; sandbox allow-forms allow-scripts allow-same-origin;"); else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form- action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;"); else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup ("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;"); else if (strncmp(str, "historylog", 10) == 0) csppol = strdup ("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;");
Has anyone found other incorrect CSP headers ?
Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska _______________________________________________ Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Sorry for being late to the party. I can confirm that the proposed patch work w/ 4.3.28 (on Raspbian) and fixes the “cannot use trends-form with Chrome browser”-issue. Should be applied. JC? All the best Thomas
On 13 Nov 2017, at 19:58, John Thurston <john.thurston at alaska.gov> wrote:
I propose the following patch to correct the broken form submission on the trends page:
--- ./xymon-4.3.28/lib/cgi.c-4.3.28 Thu Mar 3 14:44:55 2016 +++ ./xymon-4.3.28/lib/cgi.c Mon Nov 13 09:43:38 2017 @@ -275,7 +275,7 @@ else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); - else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts;"); + else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;"); else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;"); else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;"); else if (strncmp(str, "historylog", 10) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;");
Has anyone found other incorrect CSP headers ?
Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska _______________________________________________ Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Hi,
I experience the same issue on MacOS (High Sierra) with the browsers:
- Safari (Versie 11.0.1 (13604.3.5)) and
- Chrome Versie 62.0.3202.94 (Officiële build) (64-bits).
No problems with:
- Firefox (57.0 (64-bit)),
I will try the setting:
XYMON_NOCSPHEADER="TRUE"
-- Peter
2017-11-09 20:26 GMT+01:00 John Thurston <john.thurston at alaska.gov>:
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11. Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host .com.au&SERVICE=trends
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load. Safari on macOS look like it's loading a page but doesn't get anywhere.
I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278
else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =
strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me.
Each of the following pages gets a specif CSP:
"enadis" "useradm" "chpasswd" "ackinfo" "acknowledge" "criticaleditor" "svcstatus-trends "svcstatus-info" "svcstatus" "historylog"
svcstatus-info and -trends are special cases of the general purpose svcstatus case.
I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On 11/29/2017 3:22 AM, Peter Welter wrote:
I will try the setting:
XYMON_NOCSPHEADER="TRUE"
This will bypass the problem by suppressing all CSP headers on those pages. This will leave those pages and forms vulnerable to Cross-Site hacks; intentional, accidental, and incidental. It may also fail to work on near-future browser releases.
I wouldn't consider "NOCSPHEADER" to be anything more than a troubleshooting flag. It's just to easy for content from the clients to make its way onto pages.
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska
Hello John
Please let me know if I should send to mailinglist. This my first call for help.
I'm having trouble with enadis. I'm not sure if it's completely the same as you describe here but it looks similar.
We have installed xymon-4.3.28-1.el7.x86_64.rpm (terabithia.org) If I need to play with changing cgi.c and recompiling will make install reinstall without need for changes?
When we try to run enadis from either info og from Enable/disable menu we get the following error in xymon-error.log
[Tue Mar 20 16:54:05.786245 2018] [cgi:error] [pid 9121] [client 172.28.56.243:60696] AH01215: 2018-03-20 16:54:05.786123 Enadis POST that is not coming from self or svcstatus (referer=https://xxxyyy.dk/xymon-seccgi/enadis.sh). Ignoring., referer: https:// xxxyyy.dk/xymon-seccgi/enadis.sh
I have tried to set XYMON_NOCSPHEADER="true" in either xymonserver.cfg or /etc/xymon/cgioptions.cfg but is doesn’t seem to make a difference
We have a httpd proxy in front were I had csp configured – but have tried to uncomment it and still gets the same error.
I have testet with Firefox 59.0 and Chrome (64.0.3282.186) where javascript doesn’t work with “Enable/disable menu” – and iexplorer (11.0.51)
(if I want to test directly without httpd/proxy I only have iexplorer v8)
(httpd/proxy )
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
#Header always set X-Frame-Options "SAMEORIGIN"
#Header always set X-Content-Type-Options "nosniff"
#Header always unset Content-Security-Policy
#Header always set Content-Security-Policy "xdwsscript-src 'self'"
#Header always set X-XSS-Protection "1; mode=block"
#Header always set Referrer-Policy "no-referrer"
#Header unset Server
#Header set X-Frame-Options "DENY"
SSLProxyEngine on
#ProxyPreserveHost On
ServerName xxxyy.dk
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire on
ProxyPass /xymon https://xxxyyy.dk:443/xymon
ProxyPassReverse /xymon https://xxx.xxx.xxx.xxx:443/xymon
ProxyPass /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi
ProxyPassReverse /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi
ProxyPass /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/
ProxyPassReverse /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/RENÉ HOIELT HANSEN
Senior Prof. Middleware System Engineer (EA&I)
DXC Technology
Retortvej 8, DK - 2500 Valby, Denmark, I-1-356
Mobile: +45 2923 5807
Email: rhansen21 at dxc.com
Leave information in advance: : Out of office both days included
-----Original Message----- From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of John Thurston Sent: 9. november 2017 20:26 To: xymon at xymon.com Subject: Re: [Xymon] Problems with Content Security Policy in Safari, Chrome, and IE
On 11/8/2017 7:40 PM, Jonathan Trott wrote:
Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.
Problem occurs on the trends page.
https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SE
RVICE=trends
If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.
Safari on macOS look like it's loading a page but doesn't get anywhere.
I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278
else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =
strdup("script-src 'self' 'unsafe-inline'; connect-src 'self';
form-action 'self'; sandbox allow-forms allow-scripts
allow-same-origin;");
How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me.
Each of the following pages gets a specif CSP:
"enadis"
"useradm"
"chpasswd"
"ackinfo"
"acknowledge"
"criticaleditor"
"svcstatus-trends
"svcstatus-info"
"svcstatus"
"historylog"
svcstatus-info and -trends are special cases of the general purpose svcstatus case.
I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?
--
Do things because you should, not just because you can.John Thurston 907-465-8591
John.Thurston at alaska.gov<mailto:John.Thurston at alaska.gov>
Department of Administration
State of Alaska
Xymon mailing list
Xymon at xymon.com<mailto:Xymon at xymon.com>
http://lists.xymon.com/mailman/listinfo/xymon
CSC Danmark A/S - Registered Office: Retortvej 8, DK - 2500 Valby, Denmark - Registered in Denmark No: 15231599. DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
I doubt this error is being caused by the CSP settings. I believe those settings are interpreted by the web browser. I suspect this is caused by mismatch between the name published on your proxy and the name known by the xymon server.
Take a look in enadis.c. Lines 78-84 detect and print the error message you see. Line 82 contains the text: return; /* Just display, don't do anything */
which makes me think it is not affecting the behavior. Only throwing a message in the logs.
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska
On 3/21/2018 4:18 AM, Hansen, Rene H wrote:
[Tue Mar 20 16:54:05.786245 2018] [cgi:error] [pid 9121] [client 172.28.56.243:60696] AH01215: 2018-03-20 16:54:05.786123 Enadis POST that is not coming from self or svcstatus (referer=https://xxxyyy.dk/xymon-seccgi/enadis.sh). Ignoring., referer: https://xxxyyy.dk/xymon-seccgi/enadis.sh
participants (5)
-
john.thurston@alaska.gov
-
jtrott@dancrai.com
-
peter.welter@gmail.com
-
rhansen21@dxc.com
-
thomas.eckert@it-eckert.de