topic Re: Content-Security-Policy HTTP header Not Implemented in ONTAP Discussions

Content-Security-Policy HTTP header Not Implemented

52DevOps — Wed, 04 Jun 2025 13:12:47 GMT

Title of Vulnerability: Content Security Policy (CSP) Not Implemented - Risk Level: Moderate (CVSS=5.0) ONTAP 9.3P6

Rationale/Finding Description: The NetApp devices web interface failed to implement the CSP protection. CSP, if implemented prevents cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

It’s a browser side mechanism that allows to create whitelists for client side resources of the web interface (JavaScript, CSS, images, etc.). CSP is delivered via a special HTTP header that instructs the browser to only execute or render resources from the white list.

An attack requires publicly available tools, considerable amount of time and knowledge of the existing code injection weaknesses in the web interface.

A successful attack could allow an attacker to successfully exploit the web interface in the event of code injection attacks like XSS attacks.

Recommendation for Mitigation: Enable CSP on the web interface by sending the Content-Security-Policy in HTTP response headers. For example: Content-Security-Policy: default-src 'self'; script-src 'self'

For implementing CSP the header needs to be modified, has anyone done this? Would like to know how to do it.

https://www.blackhillsinfosec.com/fix-missing-content-security-policy-website/

Re: Content-Security-Policy HTTP header Not Implemented

GidonMarcus — Tue, 16 Oct 2018 22:06:00 GMT

Hi,

is there a question we are missing on this thread ?

Thanks

Re: Content-Security-Policy HTTP header Not Implemented

52DevOps — Wed, 17 Oct 2018 13:10:38 GMT

For implementing CSP the header needs to be modified, has anyone done this? Would like to know how to do it.

https://www.blackhillsinfosec.com/fix-missing-content-security-policy-website/

Re: Content-Security-Policy HTTP header Not Implemented

kryan — Wed, 17 Oct 2018 14:11:14 GMT

Which version of ONTAP does this information pertain to?

Re: Content-Security-Policy HTTP header Not Implemented

52DevOps — Wed, 17 Oct 2018 18:42:29 GMT

9.3P6

Re: Content-Security-Policy HTTP header Not Implemented

52DevOps — Tue, 13 Nov 2018 15:24:44 GMT

No one has had to fix this issue? Is there an expected time-frame from NetApp on mitigating this issue?

If I can get to the web config files this can be resolved quickly, however not sure where to find those files. Anyone knows about it?

Re: Content-Security-Policy HTTP header Not Implemented

kryan — Tue, 13 Nov 2018 17:12:01 GMT

Have you opened a support case where additional data might be found?

If not, please share the source of this finding and the CVSS score vectors.

Re: Content-Security-Policy HTTP header Not Implemented

52DevOps — Tue, 13 Nov 2018 19:34:45 GMT

1) No

2) Nessus scans do show this as an issue.

Re: Content-Security-Policy HTTP header Not Implemented

kryan — Tue, 13 Nov 2018 20:28:22 GMT

Please provide the Nessus plugin from the result.

Re: Content-Security-Policy HTTP header Not Implemented

kryan — Thu, 15 Nov 2018 14:46:36 GMT

Please confirm that this is the result you are observing:

https://www.tenable.com/plugins/nessus/50344

Plugin #50344

Info

Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header

Description

The remote web server in some responses sets a permissive Content-Security-Policy (CSP) frame-ancestors response header or does not set one at all.
The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and clickjacking attacks.

Solution

Set a non-permissive Content-Security-Policy frame-ancestors header for all requested resources.

Re: Content-Security-Policy HTTP header Not Implemented

52DevOps — Thu, 29 Nov 2018 19:54:30 GMT

Sounds similar to our issue. What's the fix for it ?

Re: Content-Security-Policy HTTP header Not Implemented

kryan — Tue, 18 Dec 2018 21:12:05 GMT

In order to resolve the CSP Nessus result on port 443, open a support case and ask for assistance with the workaround for bug 1200750.