CABI Summary Dashboard never finishes loading due to lack of Context-Security-Policy

Document ID : KB000121367
Last Modified Date : 19/11/2018
Show Technical Document Details
Issue:
When launching the CABI 'Summary Dashboard' the portlet page never fully loads and shows a circle spinning continuously.

CABI - Summary Dashboard - Spin forever

When using the Web Browser's Dev Tools (F12) we see the following errors

directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. 

Refused to frame 'https://uimumpserver.xyz.com/' because it violates the following Content Security Policy directive: "default-src 'self'". 
Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.


CABI - Summary Dashboard - Dev Tools - Error


 
Cause:
The UMP does not set a Context-Security-Policy in the frame source. In this instance the customer environment had a Security Appliance that was inserting a 
   Context-Security-Policy and setting the default-src which causes problems in Chrome and FireFox.

 
Resolution:
UIM is currently targeting SP2 for UIM 9.0.2 to contain changes to add frame source in ump including the Context-Security-Policy directives.

As a work around the following was added to the included headers page to set the Context-Security-Policy on the UMP server

/nimsoft/probes/service/wasp/webapps/cabi/includes/header.jsp 
  <head>
<%
    // Content-Security-Policy
    //  Summary: Content Security Policy informs the client about the sources from which the application expects to load
    //           resources
    //  Info: https://www.owasp.org/index.php/Content_Security_Policy
    response.setHeader("Content-Security-Policy", "default-src 'self' https: 'unsafe-eval' 'unsafe-inline'; img-src 'self' https: data:;");
 
%>