I can confirm that this update fixes the issue on the browsers I've tested as well. Thanks, John for identifying the issue here. Will be issuing a release update tonight. Regards, -jc On 11/29/2017 4:18 AM, Thomas Eckert wrote:
Sorry for being late to the party. I can confirm that the proposed patch work w/ 4.3.28 (on Raspbian) and fixes the “cannot use trends-form with Chrome browser”-issue.
Should be applied. JC?
All the best Thomas
On 13 Nov 2017, at 19:58, John Thurston <john.thurston at alaska.gov> wrote:
I propose the following patch to correct the broken form submission on the trends page:
--- ./xymon-4.3.28/lib/cgi.c-4.3.28 Thu Mar 3 14:44:55 2016 +++ ./xymon-4.3.28/lib/cgi.c Mon Nov 13 09:43:38 2017 @@ -275,7 +275,7 @@ else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';"); - else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts;"); + else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;"); else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;"); else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;"); else if (strncmp(str, "historylog", 10) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;"); Has anyone found other incorrect CSP headers ?
Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska _______________________________________________ Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
participants (1)
-
cleaver@terabithia.org