Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?


Chronological Thread 
  • From: John Hess <>
  • To: Michael Johnson <>
  • Cc:
  • Subject: Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?
  • Date: Fri, 28 Jul 2017 18:48:37 -0700
  • Authentication-results: postfix-1.cenic.org; dmarc=none (p=none dis=none) header.from=cenic.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 postfix-1.cenic.org 6782FE03E0
  • Dkim-filter: OpenDKIM Filter v2.11.0 postfix-1.cenic.org 477BFE0061
  • Ironport-phdr: 9a23:ruOlGxSFVezeQhXGXzQW3P+pC9psv+yvbD5Q0YIujvd0So/mwa6yYRyN2/xhgRfzUJnB7Loc0qyN4vCmATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbB/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRBDI2/c4QAAPcPM+haoIfjqVsAqgCzBQawCOPq0DJIhmP60K883u88EQ/GxgsgH9cWvXrQq9X1NKESWv23wqbW1jXDdO5d1DD/6IjIbB8huuqMUKlsfsXPz0kvFh/Kgk+XqYz/MDOYz+IAuHWV4epnUOKgkW8nqwdprzih3cggkIzJiZwNxlHK9SV22po1JNO3SEJhZt6kCpRQuzmGOIRoRMMiQn1ntDw8yrIYpZ63ZCcKyJU7xx7fdvyIaJKE7Q7kVOaUJzpzmXFreKqnihqs7UStyPfwW8iq3FpQrSdJjsPAu34N2hDL98SKRPlw8l281TuO2A3f8PxILVwpmabBNpIszbg9nYcJv0vZBC/5gkD2gbeWdko6/uio7PzqYq3hpp+HK490hAD+M6s3lsCiG+g3LhYBX26a+eugzrHj+lf5QLpSgv03lKnWrozaKNwFqqKlAQJZyIcu5wilAzqlzNgUh3cKIVJddBKClYfpOlXOIP7iDfe4hlShiDVrx/DYMb36GZXANWTMn6nnfbZ890FQ0g0zzcpQ555MELEOPOrzWlPttNzfFhI5KxK7w/zpCNVm0YMeX3iAArWAPKPPql+H+PgvLvKIZI8Uozb9N+Ml6+D0gX84n18dYbem3YERaH+mAvRqPV+VbmTxjdccQi82uV8bTefqgVCGGRxUZ3CpWKR0sjQ5WNiOAoPETImphruKmiamWJBaezYVJEqLFCLKcIWCE9cBcznads1hnycffbOsTY4qkxa0u1mpmPJcMuPI93hA5trY399v6riWzElq+A==

hi Michael,

thanks for the response… but i am not grok'ing how in the maddash config i
would implement your suggested work-around. could you elaborate?

meanwhile, i updated the Content-Security-Policy in
apache-perfsonar-graphs.conf to whitelist https://ps-ma-lax.cenic.net (and,
ironically, ’self’, as well) , as in:

Header set Content-Security-Policy “default-src 'self' ; connect-src 'self'
https://ps-ma-lax.cenic.net ; img-src 'self' 'unsafe-inline' data: ;
style-src 'self' 'unsafe-inline' "

and the time-series graphs are working again, for now :-)

thanks,

john



> On Jul 28, 2017, at 10:21 AM, Michael Johnson
> <>
> wrote:
>
> Hi John,
>
> Thanks for the detailed report.
>
> It does look like this is related to some HTTP headers we changed recently.
> We made some changes to tighten up security by only allowing things to be
> embedded in specific ways we allow.
>
> It appears that this means it's not working for you in this use case. What
> you can do to make it work is, point your Maddash config at
> https://ps-ma-lax.cenic.net/perfsonar-graphs/ rather than
> https://ps-dashboard.cenic.net/perfsonar/graphs/
>
> This may mean we need to rethink our header restrictions to accommodate
> this use case. Currently, /perfsonar-graphs has to be on the same host as
> the MA, which is why you're seeing this error. We'll give it some more
> consideration.
>
> Thanks,
> Michael
>
> On Fri, Jul 28, 2017 at 09:37:00AM -0700, John Hess wrote:
>> hi,
>>
>> i recently separated our central esmond MA to a distinct physical server,
>> ps-ma-lax.cenic.net, from the host (VM) on which our pS MaDDash is
>> running, ps-dashboard.cenic.net. the time-series graphs had been working
>> well — up until they stopped working a day or two ago.
>>
>> i am tracking perfsonar-staging on both systems w/auto-updates enabled.
>> the dashboard VM has pulled in perfsonar-graphs 4.0.1 v0.1.rc1.el6.
>> (after clearing browser data) within the browser -> Graph pane, the region
>> which would otherwise display the graphs now displays this error:
>>
>> Error loading data
>> Error retrieving data
>> Can’t connect to ps-ma-lax.cenic.net:443 (connect: Network is unreachable)
>>
>> the (Chrome browser) javascript console log has these entries:
>>
>> dojo.js:15 [Deprecation] Synchronous XMLHttpRequest on the main thread is
>> deprecated because of its detrimental effects to the end user's
>> experience. For more help, check https://xhr.spec.whatwg.org/.
>> req.getText @ dojo.js:15
>> jquery.min.js:6 Refused to connect to
>> 'https://ps-ma-lax.cenic.net/esmond/perfsonar/archive/?source=ps-svl-10g.cenic.net&destination=melange.noc.ucdavis.edu'
>> because it violates the following Content Security Policy directive:
>> "default-src 'self' ". Note that 'connect-src' was not explicitly set, so
>> 'default-src' is used as a fallback.
>>
>> send @ jquery.min.js:6
>> jquery.min.js:6 Refused to connect to
>> 'https://ps-ma-lax.cenic.net/esmond/perfsonar/archive/?source=melange.noc.ucdavis.edu&destination=ps-svl-10g.cenic.net'
>> because it violates the following Content Security Policy directive:
>> "default-src 'self' ". Note that 'connect-src' was not explicitly set, so
>> 'default-src' is used as a fallback.
>>
>> send @ jquery.min.js:6
>> /perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=https%3A%2F%2Fps-ma-lax.cenic.net%2Fesmond%2Fperfsonar%2Farchive%2F%3Fsource%3Dps-svl-10g.cenic.net%26destination%3Dmelange.noc.ucdavis.edu
>> Failed to load resource: the server responded with a status of 500
>> (Internal Server Error)
>> /perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=https%3A%2F%2Fps-ma-lax.cenic.net%2Fesmond%2Fperfsonar%2Farchive%2F%3Fsource%3Dmelange.noc.ucdavis.edu%26destination%3Dps-svl-10g.cenic.net
>> Failed to load resource: the server responded with a status of 500
>> (Internal Server Error)
>> bundle.js:10315 Warning: Each child in an array or iterator should have a
>> unique "key" prop. Check the render method of `ChartHeader`. See
>> https://fb.me/react-warning-keys for more information.
>> warning @ bundle.js:10315
>>
>> ——
>>
>> i did not find a good match for the symptom among the open
>> perfsonar/graphs issues on GitHub:
>>
>> https://github.com/perfsonar/graphs/issues
>>
>> though closed issue #85 ‘Add security headers for graphs’ looked
>> interesting.
>>
>>
>> thanks,
>>
>> john
>>
>
> --
> Michael Johnson
> GlobalNOC Software Engineering
> Indiana University
>
> 812-856-2771
>

Attachment: signature.asc
Description: Message signed with OpenPGP




Archive powered by MHonArc 2.6.19.

Top of Page