Details
-
Vendor Bug
-
Resolution: Fixed
-
Critical
-
None
-
Enterprise Edition
Description
Environment:
- Observium Version:26.4.14744
- OS: Debian 12
- Web Server: Apache HTTP Server (Apache2) 2.4.66
- PHP Version:8.2.3
Description:
The AJAX search function in Observium does not work when a strict Content Security Policy (CSP) is applied that omits unsafe-eval.
Steps to Reproduce:
- Configure CSP header in Apache2 (e.g., in vhost):
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
(i.e., without 'unsafe-eval')
- Open Observium web UI
- Use the search bar (AJAX search)
Expected Behavior:
Search suggestions / results should appear dynamically via AJAX.
Actual Behavior:
AJAX search does not return results or fails silently.{}
Additional Notes:
- Adding 'unsafe-eval' to script-src resolves the issue
Impact:
Users implementing secure CSP headers cannot use the AJAX search feature without weakening their security policy.
Suggested Improvement:
Refactor frontend code to avoid use of eval() or similar patterns so that 'unsafe-eval' is not required.