Content Security Policy bug?

Serv-U v15.2.3.717 and v15.2.3.723 appear to have a bug with Content Security Policy (CSP).

I noticed that the close button in the pop-up alert boxes no longer works. Nothing happens when you click it.

I used Firefox Developer Tools and see that there are a lot of the following errors in the console:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

All of those errors point to /Common/Scripts/functions.js.

From Chrome's console:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'nonce-55BC88D536EF3A05E6913515E5CB285B'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Chrome errors point to index

This issue is not present in v15.2.2.

Parents
  • WOW! Almost two weeks and no responses. I haven't posted on here in a long time. Sad to see forum activity (other than unanswered questions) is now almost non-existent; especially posts from mods.

    I even submitted a ticket and no one has followed up.

    Also found more issues. Seems you can no longer edit HTML, CSS nor string files without Serv-U shutting down http/https. How else are you supposed to be able to change error messages, white label or fix the poor mobile template? If you make any simple edits to any "html" files, you get the following error and have to manually restart the service:

    support.solarwinds.com/.../Security-error-when-starting-HTTP-HTTPS

    Serv-U has long been my favorite file transfer server. Guess we will be putting Serv-U testing/recommending to rest and move on to the other vendors.

  • Issue with non functional Close button is verified and will be fixed in next release. OK button works correctly.
    Modification of Serv-U html files is protected due to security rules so error message is expected behavior. If you are facing any issues with any specific html code please raise support ticket, we will verify and investigate the problem. Thanks for your comments.

  • Thank you for following up. I appreciate that.

    So by design, the security rules eliminate the possibility of editing strings and CSS? So that means admin can no longer do something as simple as customize the text being displayed to end-users?

Reply
  • Thank you for following up. I appreciate that.

    So by design, the security rules eliminate the possibility of editing strings and CSS? So that means admin can no longer do something as simple as customize the text being displayed to end-users?

Children
No Data