CABI Summary Dashboard not working in chrome

book

Article ID: 144678

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

Dashboards and reports open normally when launched in Internet Explorer. However, when launching them in Chrome (Operator Console says it only works in Chrome) all you receive is a spinning wheel.

When using the Web Browser's Dev Tools (F12) we see the following errors:
Refused to load the script 'http://UMPServer.domain.com/cabijs/client/visualize.js' because it violates the following Content Security Policy directive: "script-src 'self' https: *.cloud.ca.com *.salesforceliveagent.com *.walkme.com *.ca.com *.cloudfront.net 'unsafe-eval' 'unsafe-inline'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Cause

The UMP does not set a Content-Security-Policy in the script source. In this instance the customer environment had a Security Appliance that was inserting a Content-Security-Policy and setting the script-src which causes problems in Chrome and FireFox.

Environment

Release : 9.2.0

Component : UIMCBI

Resolution

Add the following to the included headers page to set the Content-Security-Policy on the UMP server

/nimsoft/probes/service/wasp/webapps/cabi/includes/header.jsp 
<head>
<%
    // Content-Security-Policy
    //  Summary: Content Security Policy informs the client about the sources from which the application expects to load
    //           resources
    //  Info: https://www.owasp.org/index.php/Content_Security_Policy
    response.setHeader("Content-Security-Policy", "script-src 'self' https: 'unsafe-eval' 'unsafe-inline'; img-src 'self' https: data:;");
 
%>
Powered by Wolken Software