+++ This bug was initially created as a clone of Bug #2160555 +++ Description of problem: Response with status code 401 is not showing right content type; technically it would require CSP with a text/html response, but it would not with JSON Response with status code 404 is showing HTML response with no CSP Version-Release number of selected component (if applicable): pcs-0.10.14-5.el8 How reproducible: Always Steps to Reproduce: 1. Disable pcs WebUI 2. Access WebUI and receive either a 401 or 404 error page 3. Check headers Actual results: Headers lack CSP Expected results: CSP to be included even with error pages
Upstream patch: https://github.com/ClusterLabs/pcs/commit/36e476d1a431375dfb53aca560d3a4d50494d001 Test: 1. disable pcs web UI 2. access pcs web UI and receive a 404 page 3. verify that "Content-Security-Policy" HTTP header is set to "frame-ancestors 'self'; default-src 'self'"
DevTestResults: [root@r09-03-a ~]# rpm -q pcs pcs-0.11.5-1.el9.x86_64 Response headers on requests for index.html and favicon.ico both contain the desired CSP policy: HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Date: Wed, 24 May 2023 16:03:39 GMT Strict-Transport-Security: max-age=63072000 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'; default-src 'self' X-Xss-Protection: 1; mode=block Cache-Control: no-store, no-cache Pragma: no-cache Referrer-Policy: no-referrer Content-Length: 69
BEFORE: ======= [root@virt-510 ~]# rpm -q pcs pcs-0.11.4-6.el9.x86_64 ## disable web UI [root@virt-510 ~]# cat /etc/sysconfig/pcsd | grep PCSD_DISABLE_GUI PCSD_DISABLE_GUI=true [root@virt-510 ~]# systemctl restart pcsd [root@virt-510 ~]# echo $? 0 ## access web UI 1. open https://<hostname>:2224 > got 404: Not Found 2. check network headers for index and favicon the header: HTTP/1.1 404 Not Found Server: TornadoServer/6.2 Content-Type: text/html; charset=UTF-8 Date: Mon, 17 Jul 2023 15:16:24 GMT Content-Length: 69 > CSP (Content-Security-Policy) is not present AFTER: ====== [root@virt-496 ~]# rpm -q pcs pcs-0.11.6-1.el9.x86_64 ## disable web UI [root@virt-496 ~]# cat /etc/sysconfig/pcsd | grep PCSD_DISABLE_GUI PCSD_DISABLE_GUI=true [root@virt-496 ~]# systemctl restart pcsd [root@virt-496 ~]# echo $? 0 ## access web UI 1. open https://<hostname>:2224 > got 404: Not Found 2. check network headers for index and favicon the header: HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Date: Fri, 14 Jul 2023 14:58:31 GMT Strict-Transport-Security: max-age=63072000 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'; default-src 'self' X-Xss-Protection: 1; mode=block Cache-Control: no-store, no-cache Pragma: no-cache Referrer-Policy: no-referrer Content-Length: 69 3. open https://<hostname>:2224/remote/capabilities > got 401: {"notauthorized":"true"} 4. check network header for capabilities the header: HTTP/1.1 401 Unauthorized Content-Type: text/html; charset=UTF-8 Date: Mon, 17 Jul 2023 15:02:16 GMT Strict-Transport-Security: max-age=63072000 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'; default-src 'self' X-Xss-Protection: 1; mode=block Cache-Control: no-store, no-cache Pragma: no-cache Referrer-Policy: no-referrer Content-Length: 24 > OK: CSP (Content-Security-Policy) is in place for 404 and 401 with values frame-ancestors 'self'; default-src 'self' Marking as VERIFIED for pcs-0.11.6-1.el9.