Calling all Cyber security experts out there. I have our Ignition server behind a WAF and a Reverse Proxy server. The reverse proxy server has the ability to specify Content-Security-Policy headers. In an attempt to obtain a higher/passing score on some cyber security auditing platforms, I added the script-src 'self' directive and now all perspective designer views will not load. They only show a blank screen. If I change the script-src 'unsafe-inline' (which is not recommended), the view loads correctly. I know that the designer uses chromium browser as its page viewer.
So, does anyone know what scripts outside of 'self' the chromium browser calls and where for the page to load?
Update: The Perspective Components panel doesn't populate with items either. But once I add 'unsafe-inline' everything works as it should.
Going down the rabbit hole some more on this.
There are 2 inline scripts that load on a Perspective page.
the first one is a localStorage.setItem function
<script>
localStorage.setItem("redundancy.status", JSON.stringify({
"activity_level": "Active",
"role": "Independent",
"peers": []
}));
</script>
the second one is this.
<script>
window.__qualityCodes = [{
code: 0,
name: 'Good_Unspecified'
}, {
code: 2,
name: 'Good_WritePending'
}, {
code: 192,
name: 'Good'
}, {
code: 1073742081,
name: 'Uncertain_LastKnownValue'
}, {
code: 1073742082,
name: 'Uncertain_InitialValue'
}, {
code: -2147483136,
name: 'Bad'
}, {
code: -2147483135,
name: 'Bad_Unauthorized'
}, {
code: -1073741056,
name: 'Error'
}, {
code: -1073741044,
name: 'Error_CycleDetected'
}];
window.__assetDigests = {
"automationstation": "80CAUBEpIEgQ0PELvy76tXdRvKPfWPza4iWnhZQYkmw=",
"ignition": "OHO486EHIApZN8QQS1pXsqM4Q3aZT/U2R8vu+BxSZMk=",
"material": "Kp7nlEjvsk96AaSnJDC0YNXTLouKrrJ3wDlxwCaZgZs=",
"symbol_mimic": "+0NSRQ/D1m+Gs3ynJuceFvqDOAIw0yvfM5fbkneEvCY=",
"symbol_p&id": "7osguOd5/4WGChLD04YMjQFOxO53jxlUTpiwtb/KK7o=",
"symbol_simple": "VYS/8nowWa8QK5BgJ0Xl1YFwyJHzKPgveyWFimd3WIc="
};
<!-- before render -->
ReactDOM.render(React.createElement(PerspectiveClient.Client, {
"projectName": "myProjectName",
"projectTitle": "myProjectTitle",
"platformEdition": "standard",
"coBrandingEnabled": true
}, null), document.getElementById('app-container'));
</script>
IA Developers...if these 2 scripts had a consistent hash or nonce assigned to them, then we could add that hash/nonce into the CSP header. Otherwise, we have to allow unsafe-inline which it not good practice according to cyber security experts....whomever they are.