VMware Horizon Community
Jstrat31
Enthusiast
Enthusiast
‎04-19-2018 10:05 AM
Jump to solution

Browser Content Security Policy blocking HTML Access in all browsers but IE

Hello Everyone

I've been working with VMware support on this issue but I figured it wouldn't hurt to ping the community.

The only browser that we are able to use the HTML Access in is internet Explorer. In all other browsers we get the error below.

"Refused to connect to  because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback."

While working with VMware support we have tried the following changed to the "locked.properties" file located at "C:\Program Files\VMware\VMware View\Server\sslgateway\conf" on the connection server

checkOrigin=fase 

enableCSP = false     -No change

enableCSP = true     -No change

enableCSP = true

content-security-policy = default-src 'self';script-src 'self' data:

content-security-policy-portal = default-src 'self';frame-ancestors 'self'     -No Change

x-frame-options = deny

x-frame-options-portal = sameorigin

x-xss-protection = 1; mode=block

If we disable Content Security on Chrome it works fine.

Any ideas?

Thanks

Jason Hartley

VMware Systems Specialist

Private Cloud Architects

Jason Hartley VMware Systems Specialist "Develop the skill of sensing problems when they are still small and taking care of them before they become intractable"—Robert Greene http://privatecloudky.com/
Tags (1)
1 Solution

Accepted Solutions
Jstrat31
Enthusiast
Enthusiast
‎10-02-2018 10:19 AM
Jump to solution

Updating the Horizon servers and UAGs to match the same version resolved this issue.

Jason Hartley VMware Systems Specialist "Develop the skill of sensing problems when they are still small and taking care of them before they become intractable"—Robert Greene http://privatecloudky.com/

View solution in original post

0 Kudos
8 Replies
sjesse
Leadership
Leadership
‎04-19-2018 11:09 AM
Jump to solution

did they try setting either balancedHost or portal host. I needed to set both of those in locked.properties. We are using the UAG so I set balancedHost to our loadbalanced url and portalHost to the uag address.

Allow HTML Access Through a Gateway

Allow HTML Access Through a Load Balancer

0 Kudos
Jstrat31
Enthusiast
Enthusiast
‎04-19-2018 12:32 PM
Jump to solution

Yep we tried every variation of the UAG and Load Balancer options

Jason Hartley VMware Systems Specialist "Develop the skill of sensing problems when they are still small and taking care of them before they become intractable"—Robert Greene http://privatecloudky.com/
0 Kudos
lirick
VMware Employee
VMware Employee
‎05-25-2018 12:55 AM
Jump to solution

What's the version of your HTML Access? does a valid certificate applied on your server?

Some browsers have enhancement on CSP, that's why the session couldn't be connected.

0 Kudos
Jstrat31
Enthusiast
Enthusiast
‎10-02-2018 10:19 AM
Jump to solution

Updating the Horizon servers and UAGs to match the same version resolved this issue.

Jason Hartley VMware Systems Specialist "Develop the skill of sensing problems when they are still small and taking care of them before they become intractable"—Robert Greene http://privatecloudky.com/
0 Kudos
BenFB
Virtuoso
Virtuoso
‎10-02-2018 11:17 AM
Jump to solution

Can you tell us what versions you were previously running with the issue and what you upgraded to where it resolved it?

0 Kudos
Jstrat31
Enthusiast
Enthusiast
‎10-03-2018 07:39 AM
Jump to solution

Horizon version was 7.3

UAG 3.2.1

Updating to Horizon 7.4 resolved the issues.

Jason Hartley VMware Systems Specialist "Develop the skill of sensing problems when they are still small and taking care of them before they become intractable"—Robert Greene http://privatecloudky.com/
0 Kudos
BenFB
Virtuoso
Virtuoso
‎10-03-2018 07:44 AM
Jump to solution

Thank you! Keep an eye on the interop matrix for Horizon and the UAG. If you want to upgrade past Horizon 7.4 to 7.4.1 or newer you need to first upgrade the UAG.

VMware Product Interoperability Matrices

VMHero4Ever
Enthusiast
Enthusiast
‎10-11-2018 04:56 AM
Jump to solution

I had a similar issue with Microsoft Edge. I was don't able to see the remote deskop.

All other browser like IE, Firefox and Chrome had no issues. I use 2 UAG's behind a loadbalancer (FortiADC)

Horizon 7.4.0

UAG 3.3.1

I know this combination is not offically supported.

In the Edge debugger view I could following see: Security Error CSP14312: Die Direktive default-src "self" in Content-Security-Policy wurde durch eine Ressource verletzt....

Sorry I have the message only in german.

To solve the issue I changed the "Content Security Policy" of the UAG below the horizon settings.

original string:      default-src 'self';font-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';img-src 'self' blob: data:

new string:           font-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';img-src 'self' blob: data:

Regards,

Eric

0 Kudos