Since I installed version 1.6.0p9, I can’t access external URLs in checkmk with Firefox or Edge. Only IE works. I experience this issue in the dashlets and bookmarks. Nothing appears on the page.
Firefox Network Trace says “blocked”, but I don’t know why.
I have tested it with some different sites (internal, external - http, https). No site works after this checkmk update. So you can take any site you want. For example I tried https://checkmk.de.
In your marked entry you see “CSP” - Content Security Policy - that means that your request is blocked because it violates this policy.
You can modify the content security settings inside the file
~/etc/apache/conf.d/security.conf or disable the config completely, what i not recommend.
In my test environment without HTTPS i can access the most external pages as long as they have no own security settings preventing the page from loading inside a iframe.
If i try to access something like heise.de from my bookmarks then i becomes blocked but not by my Apache.
If the remote site blocks you - you will see something like
If I try https://heise.de as bookmark, nothing happens in Firefox.
I don’t understand the difference between the old and the new checkmk version.
Did you mean the apache config of the checkmk server?
For testing I have another checkmk server with 1.6.0p8.
It looks different:
The security.conf is different between p8 and p9.
Inside p8 the Header was set an different way than in p9
p9
# default-src: Default policy for all not configured ones
# Allow custom URL handlers "ssh://" and "rdp://". These are used by some
# users for some custom icons for directory connecting to the monitored hosts.
# img-src: Allow local images and data URLs e.g. from CSS files
# Allow access to openstreetmap tile server for NagVis Worldmap
# connect-src: Allow AJAX calls to current scheme/url/port and the crash report API
# frame-ancestors: Only allow to include the pages served by this site in frames of same URLs
# base-uri: <base>-Tag is limited to current scheme/url/port
# form-action: Form submissions are limited to current scheme/url/port
# "javascript: 'unsafe-inline'" have been added for NagVis (Options > ... forms)
# object-src: Disallow arbitrary plugins like flash or java, but allow PDF open e.g. in chrome
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ ; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'"
p8
# Default policy for all not configured ones
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'"
# Allow local images and data URLs e.g. from CSS files
# Allow access to openstreetmap tile server for NagVis Worldmap
Header always set Content-Security-Policy "img-src 'self' data: https://*.tile.openstreetmap.org/"
# Allow AJAX calls to current scheme/url/port and the crash report API
Header always append Content-Security-Policy "connect-src 'self' https://crash.checkmk.com"
# Only allow to include the pages served by this site in frames of same URLs
Header always append Content-Security-Policy "frame-ancestors 'self'"
# <base>-Tag is limited to current scheme/url/port
Header always append Content-Security-Policy "base-uri 'self'"
# Form submissions are limited to current scheme/url/port
# "javascript: 'unsafe-inline'" have been added for NagVis (Options > ... forms)
Header always append Content-Security-Policy "form-action 'self' javascript: 'unsafe-inline'"
# Disallow arbitrary plugins like flash or java, but allow PDF open e.g. in chrome
Header always append Content-Security-Policy "object-src 'self'"
I think also that i see what was wrong with the policy in p8. There are two line with “Header always set” the second one is overwriting the first one and the first line is like it is written the default policy for all the content not configured below.
Yes, you are right.
Now I added “child-src *.mydomain.com” at the end of the “Header always set Content-Security-Policy”. That works for me. My “external” sites are now displayed.