CABI Summary Dashboard never finishes loading due to lack of Context-Security-Policy

Document ID : KB000121367
Last Modified Date : 06/03/2019
Show Technical Document Details
When launching the CABI 'Summary Dashboard' the portlet page never fully loads and shows a circle spinning continuously.

CABI - Summary Dashboard - Spin forever

When using the Web Browser's Dev Tools (F12) we see the following errors

directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. 

Refused to frame '' because it violates the following Content Security Policy directive: "default-src 'self'". 
Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

CABI - Summary Dashboard - Dev Tools - Error

The UMP does not set a Context-Security-Policy in the frame source. In this instance the customer environment had a Security Appliance that was inserting a 
   Context-Security-Policy and setting the default-src which causes problems in Chrome and FireFox.

UIM is currently targeting SP2 for UIM 9.0.2 to contain changes to add frame source in ump including the Context-Security-Policy directives.

As a work around the following was added to the included headers page to set the Context-Security-Policy on the UMP server

    // Content-Security-Policy
    //  Summary: Content Security Policy informs the client about the sources from which the application expects to load
    //           resources
    //  Info:
    response.setHeader("Content-Security-Policy", "default-src 'self' https: 'unsafe-eval' 'unsafe-inline'; img-src 'self' https: data:;");

Additional Information:
To address a similar issue with the Operator Console Home page, install the UMP 9.02HF2 hot fix available for download from the Download page on the support site