perfsonar-user - Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?
Subject: perfSONAR User Q&A and Other Discussion
List archive
Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?
Chronological Thread
- From: Michael Johnson <>
- To: John Hess <>
- Cc:
- Subject: Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?
- Date: Mon, 31 Jul 2017 09:31:38 -0400
- Ironport-phdr: 9a23:15glqhTEUQGfUX+1F6hODPylYdpsv+yvbD5Q0YIujvd0So/mwa6yYxyN2/xhgRfzUJnB7Loc0qyN4vCmATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbB/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRPDI28cYUBEukPPehXoIbhulQAohmxCBKwBOP20DJEmmP60bE43uknDArI3BYgH9ULsHnMq9v1NbsdUeCvw6bWyTXIcvdY2TD96IjOaRAhpveMVq93fMrUy0kiFB3Jg06fqYzhODOazf4Cs2yd7+pnSe2jkW8nqxxrrjex28gsl5DEi4QIwV7K8iV5xZw6Jdy+SENjb96rC4FctySEOIduTMIiQ3tnuDo0y70Jo5K7ezIKyJs/yxHDdfOHdYmI7Q75WOaXPzh4mGppeL2+hxau8Uig1/bzWtOo31ZNqypIlMTHuHMV1xHL98SKRf9w8l281TuO1w3f8PxILE47mKbBKZMszbg9nYcJv0vZBC/5gkD2gbeWdko6/uio7PzqYrD8qZ+dM494kB3xMrgylcClDuQ4KA4OX2+H9uim1b3j4Ff1T6tXgf0riqXZsZbaKtoHpqOhHgNY3YIu5wyiAzqn0NkUh2QLIVxKdR6djYXkNEnCIPXiAve+h1Ssni1rx/fDPrD5B5XNLHvOnKn6cLZy705czxE8wspb55JSDbEOPOj/Wk7stNDCEBA2LhG0z/79CNphzoMeRX6PAqiBPaPKr1CI/OwvI/KLZI8Tojn9MeEp5+P1jXAng18QZq2p3ZoMaHCkBfRqPV+VYXvqgtcdD2gKpAw+Q/L2iFGcSzJceWu9X79vrg08XaChDYGLZo22m/TV3ie2BYZ+bW1AC1vKFm3nIdaqQfAJPQeTKc9onzhMd7+hTZQm01n6sQ2qkZJoKu3e8ykespml1cUz6uHOw0JhvQdoBtiQhjneB1p/mXkFEnpvhPhy
Hi John,
I should have mentioned this approach, I'm glad you figured it out!
Thansk for reporting the issue, also.
- Michael
On Fri, Jul 28, 2017 at 06:48:37PM -0700, John Hess wrote:
hi Michael,
thanks for the response… but i am not grok'ing how in the maddash config i
would implement your suggested work-around. could you elaborate?
meanwhile, i updated the Content-Security-Policy in
apache-perfsonar-graphs.conf to whitelist https://ps-ma-lax.cenic.net (and,
ironically, ’self’, as well) , as in:
Header set Content-Security-Policy “default-src 'self' ; connect-src 'self'
https://ps-ma-lax.cenic.net ; img-src 'self' 'unsafe-inline' data: ; style-src
'self' 'unsafe-inline' "
and the time-series graphs are working again, for now :-)
thanks,
john
On Jul 28, 2017, at 10:21 AM, Michael Johnson
<>
wrote:
Hi John,
Thanks for the detailed report.
It does look like this is related to some HTTP headers we changed recently.
We made some changes to tighten up security by only allowing things to be
embedded in specific ways we allow.
It appears that this means it's not working for you in this use case. What
you can do to make it work is, point your Maddash config at
https://ps-ma-lax.cenic.net/perfsonar-graphs/ rather than
https://ps-dashboard.cenic.net/perfsonar/graphs/
This may mean we need to rethink our header restrictions to accommodate this
use case. Currently, /perfsonar-graphs has to be on the same host as the MA,
which is why you're seeing this error. We'll give it some more consideration.
Thanks,
Michael
On Fri, Jul 28, 2017 at 09:37:00AM -0700, John Hess wrote:
hi,
i recently separated our central esmond MA to a distinct physical server,
ps-ma-lax.cenic.net, from the host (VM) on which our pS MaDDash is running,
ps-dashboard.cenic.net. the time-series graphs had been working well — up
until they stopped working a day or two ago.
i am tracking perfsonar-staging on both systems w/auto-updates enabled. the
dashboard VM has pulled in perfsonar-graphs 4.0.1 v0.1.rc1.el6. (after
clearing browser data) within the browser -> Graph pane, the region which
would otherwise display the graphs now displays this error:
Error loading data
Error retrieving data
Can’t connect to ps-ma-lax.cenic.net:443 (connect: Network is unreachable)
the (Chrome browser) javascript console log has these entries:
dojo.js:15 [Deprecation] Synchronous XMLHttpRequest on the main thread is
deprecated because of its detrimental effects to the end user's experience.
For more help, check https://xhr.spec.whatwg.org/.
req.getText @ dojo.js:15
jquery.min.js:6 Refused to connect to
'https://ps-ma-lax.cenic.net/esmond/perfsonar/archive/?source=ps-svl-10g.cenic.net&destination=melange.noc.ucdavis.edu'
because it violates the following Content Security Policy directive: "default-src
'self' ". Note that 'connect-src' was not explicitly set, so 'default-src' is used as
a fallback.
send @ jquery.min.js:6
jquery.min.js:6 Refused to connect to
'https://ps-ma-lax.cenic.net/esmond/perfsonar/archive/?source=melange.noc.ucdavis.edu&destination=ps-svl-10g.cenic.net'
because it violates the following Content Security Policy directive: "default-src
'self' ". Note that 'connect-src' was not explicitly set, so 'default-src' is used as
a fallback.
send @ jquery.min.js:6
/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=https%3A%2F%2Fps-ma-lax.cenic.net%2Fesmond%2Fperfsonar%2Farchive%2F%3Fsource%3Dps-svl-10g.cenic.net%26destination%3Dmelange.noc.ucdavis.edu
Failed to load resource: the server responded with a status of 500 (Internal
Server Error)
/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=https%3A%2F%2Fps-ma-lax.cenic.net%2Fesmond%2Fperfsonar%2Farchive%2F%3Fsource%3Dmelange.noc.ucdavis.edu%26destination%3Dps-svl-10g.cenic.net
Failed to load resource: the server responded with a status of 500 (Internal
Server Error)
bundle.js:10315 Warning: Each child in an array or iterator should have a unique
"key" prop. Check the render method of `ChartHeader`. See
https://fb.me/react-warning-keys for more information.
warning @ bundle.js:10315
——
i did not find a good match for the symptom among the open perfsonar/graphs
issues on GitHub:
https://github.com/perfsonar/graphs/issues
though closed issue #85 ‘Add security headers for graphs’ looked interesting.
thanks,
john
--
Michael Johnson
GlobalNOC Software Engineering
Indiana University
812-856-2771
--
Michael Johnson
GlobalNOC Software Engineering
Indiana University
812-856-2771
- [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?, John Hess, 07/28/2017
- Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?, Michael Johnson, 07/28/2017
- Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?, John Hess, 07/29/2017
- Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?, Michael Johnson, 07/31/2017
- Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?, John Hess, 07/29/2017
- Re: [perfsonar-user] time-series graphs breakage - dashboard separate from central MA - Content Security Policy js?, Michael Johnson, 07/28/2017
Archive powered by MHonArc 2.6.19.