cacti Content Security Policy may block Plugin functionality

I don't have the case number, but a while ago some modification where made to allow Cacti (the browser) to access some script from outside of the local server. A field exit under config general to list the name of the destination. So far so good, and It work's almost in all case.

I change my plugin to display a map using mapbox GL instead of mapbox JS, and it's not working anymore. When I access this page from outside it's working,but not inside. I try to add a few site to the allowed list: unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com but still the map won't dispaly.

File attached with the output I got on the console of the browser

Any solution here ? without having to tweek the coode on every update ?

thanks

Cacti 1.2.17

May 26 '21 11:05 arno-st

It's look like the copy of the file didn't go well:

map.php:1 The Content Security Policy directive 'default-src' contains 'img-src' as a source expression. Did you mean 'default-src ...; img-src...' (note the semicolon)? map.php:1 The Content Security Policy directive 'default-src' contains 'style-src' as a source expression. Did you mean 'default-src ...; style-src...' (note the semicolon)? map.php:1 The Content Security Policy directive 'default-src' contains 'script-src' as a source expression. Did you mean 'default-src ...; script-src...' (note the semicolon)? map.php:1 The Content Security Policy directive 'default-src' contains 'frame-ancestors' as a source expression. Did you mean 'default-src ...; frame-ancestors...' (note the semicolon)? web_worker.js:9 Refused to create a worker from 'blob:http://lslcact01.lausanne.ch/439696c9-05eb-4001-af68-3d5d5896a0a6' because it violates the following Content Security Policy directive: "worker-src 'self'".

St @ web_worker.js:9 acquire @ worker_pool.js:28 E @ dispatcher.js:30 Be @ style.js:164 _updateStyle @ map.js:1398 setStyle @ map.js:1377 Map @ map.js:494 (anonymes) @ map.php:244 web_worker.js:9 Uncaught DOMException: Failed to construct 'Worker': Access to the script at 'blob:http://lslcact01.lausanne.ch/439696c9-05eb-4001-af68-3d5d5896a0a6' is denied by the document's Content Security Policy. at new St (https://api.tiles.mapbox.com/mapbox-gl-js/v2.2.0/mapbox-gl.js:35:52939) at Mt.acquire (https://api.tiles.mapbox.com/mapbox-gl-js/v2.2.0/mapbox-gl.js:35:53156) at new E (https://api.tiles.mapbox.com/mapbox-gl-js/v2.2.0/mapbox-gl.js:35:15044) at new Be (https://api.tiles.mapbox.com/mapbox-gl-js/v2.2.0/mapbox-gl.js:35:90883) at Map._updateStyle (https://api.tiles.mapbox.com/mapbox-gl-js/v2.2.0/mapbox-gl.js:35:384098) at Map.setStyle (https://api.tiles.mapbox.com/mapbox-gl-js/v2.2.0/mapbox-gl.js:35:383848) at new Map (https://api.tiles.mapbox.com/mapbox-gl-js/v2.2.0/mapbox-gl.js:35:377929) at http://lslcact01.lausanne.ch/cacti/plugins/map/map.php:244:17 St @ web_worker.js:9 acquire @ worker_pool.js:28 E @ dispatcher.js:30 Be @ style.js:164 _updateStyle @ map.js:1398 setStyle @ map.js:1377 Map @ map.js:494 (anonymes) @ map.php:244

May 26 '21 11:05 arno-st

Actually, it sounds like your CSP isn't correct. I'm not sure how Cacti creates that at the moment without going off to review the code, did you add any of those elements? Did they come from the return code?

May 26 '21 18:05 netniV

No I didn't change the CSP rule manually, I juste use the feature that was introduced into the genral config. And this is the CSP part on the page when I load it:

May 27 '21 05:05 arno-st

What browser? Recent one? The CSP rules are changing still inside of browsers. So, new browsers may require a modification to CSP rules, though I hope not. You should go into Debug mode on the browser, and locate the header and the SCP portion of the header and take a screen shot. Paste that here.

Jun 08 '21 03:06 TheWitness

Here it is:

It's on firefox 60.3.0esr (64 bits) But I have the same issue on Edge

Jun 08 '21 06:06 arno-st

Wrong cut/past:

Jun 08 '21 06:06 arno-st

Damn the copy of the CSP is interpreted by GitHub, so herre is it without the header info

Content-Security-Policy" content="default-src *; img-src 'self' unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com data: blob:; style-src 'self' 'unsafe-inline' unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com; worker-src 'self'"

Jun 08 '21 06:06 arno-st

So, we need to extend the worker-src as I read it.

Jun 25 '21 19:06 TheWitness

Commit is in. Please test.

Jun 25 '21 19:06 TheWitness

Hmm not working, but wonder if the change has to be made on blob instead of worker-src:

web_worker.js:9 Uncaught DOMException: Failed to construct 'Worker': Access to the script at 'blob:http://lslcact01.lausanne.ch/439696c9-05eb-4001-af68-3d5d5896a0a6' is denied by the document's Content Security Policy.

Jun 28 '21 13:06 arno-st

Why is it closed ? it's not fixed !

Jun 30 '21 05:06 arno-st

Sorry, that was done from a different screen with a whole bunch of other issues as it had the resolved status.

Jun 30 '21 10:06 netniV

Can you edit the worker-src and report back?

Jun 30 '21 10:06 TheWitness

Well to make it workI had to add 'blob:' in the list of 'Content-Security Alternate Source' But I have no clue what will be the impact on other directive that use the $alternate value.

Jun 30 '21 11:06 arno-st

Show me your CSP string.

Jul 01 '21 16:07 TheWitness

Sorry for the delay I was out in vacation.

So here is what I have on the web page:

and here is what I add on the config of Cacti "Content-Security Alternate Source" : unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com blob:

The "blob:" should'nt be here, nut that's the solution.

Jul 26 '21 08:07 arno-st

@arno-st, you have to be more specific. Otherwise, this will not be addressed.

Sep 27 '21 11:09 TheWitness

Hello, more specific !!

Ok I will try. I have a mapping plugin, who use either googlemap or openstreetmap, to be able to see openstreet map, I have to add the following autorisation on the config of cacti (the option you add to be able to specify some site where the plugin can do scrpting). So under the menu: console -> Configuration->Settings->Genral-> Site Security and Content-Security Alternate Sources

In normal situation you put only domain or specific web site, but to be able to allow openstreetmap to work with all th eunfctionality I need I add to include the following option: blob:

And for me blob: is a specific command (like style-src or img-src, etc), so adding a few site give me this Contend-Security-Polcy Content-Security-Policy" content="default-src *; img-src 'self' unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com *.lausanne.ch blob: data: blob:; style-src 'self' 'unsafe-inline' unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com *.lausanne.ch blob:; script-src 'self' 'unsafe-eval' 'unsafe-inline' unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com *.lausanne.ch blob:; worker-src 'self' unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com *.lausanne.ch blob:;"

As you can see the 'blob:' is added everywhere

I'm not a security expert in contend-security-policy, and I don't know if it's fine to allow a 'blob:' to be added inside the configuration or not. If it is, so be it and you can close the case, if not, how can it be solved ?

Sep 27 '21 12:09 arno-st

Seems to me you can simply add the blob: to the $alternates which is available on the Console > Configuration > Settings page.

So, I'm not sure we need to do anything.

Oct 02 '21 15:10 TheWitness

Going to close this one due to lack of real clear direction. If adding blob: to the Alternative sources works, then we don't need to make a change.

Oct 08 '22 16:10 TheWitness