Nagvis iFrame content blocked

Yooshi · August 11, 2023, 1:03pm

Thanks Yggy !

Like CLiX said, I try to add the command “child-src *.mydomain.com” at the end of the “Header always set Content-Security-Policy” but I can’t restart omd service after that.

File : /opt/omd/sites/“OMD-SITE”/etc/apache/conf.d/security.conf

I disabled all Header in this file and its seems to worked (half)

I try know to understand how this file works but I’m little confused, I disabled the old line 'Header always set Content-Securit-Policy" and created a new one :

Old :

Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/verify; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:" "expr=%{REQUEST_STATUS} != 200"

New :

Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/verify; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:; frame-src 'self' 'unsafe-inline' 'unsafe-eval' *."MYDOMAIN".local"

I had to delete "expr=%{REQUEST_STATUS} != 200" and add frame-src 'self' 'unsafe-inline' 'unsafe-eval' *."MYDOMAIN".local"

Now the iFrame is displaying on the nagvis but the autologin doens’t work and when I type the login/password, I’m completly redirect on the iFrame’s URL instead of displaying the URL in the iFrame of nagvis

Here is the link I use with iFrame :

https://HOSTNAME.domain.local/"OMD-SITE"/check_mk/login.py?_origtarget=/"OMD-SITE"/nagvis/frontend/nagvis-js/index.php?mod=Map%26act=view%26show=Overview&_username=monitoring&_password=monitoring&_login=1

I’ve this error on Chrome :

login.py?_origtarget=%2F"OMD-SITE"%2Fnagvis%2Ffrontend%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview:6 
Unsafe attempt to initiate navigation for frame with origin 'http://"LOCALHOST" from frame with URL 'https://"REMOTEHOST"."MYDOMAIN".local/"OMD-SITE"/check_mk/login.py?_origtarget=%2F"OMD-SITE"%2Fnagvis%2Ffrontend%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview'. The frame attempting navigation is targeting its top-level window, but is neither same-origin with its target nor has it received a user gesture. See https://www.chromestatus.com/feature/5851021045661696.

(anonymous) @ login.py?_origtarget=%2F"OMD-SITE"%2Fnagvis%2Ffrontend%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview:6

Uncaught DOMException: Failed to set the 'href' property on 'Location': The current window does not have permission to navigate the target frame to 'https://"REMOTEHOST"."MYDOMAIN".local/"OMD-SITE"/check_mk/login.py?_origtarget=%2F"OMD-SITE"…rontend%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview'.
    at https://"REMOTEHOST"."MYDOMAIN".local/"OMD-SITE"/check_mk/login.py?_origtarget=%2F"OMD-SITE"…nd%2Fnagvis-js%2Findex.php%3Fmod%3DMap%26act%3Dview%26show%3DOverview:6:30
(anonymous)	@	login.py?_origtarget…26show%3DOverview:6

Someone have a clue on this ?

Best Regards,