Stats not available in nomad ui deployment view

[commarla]

Nomad version

Nomad v0.7.0

Operating system and Environment details

Debian Jessie

Issue

On the page http://nomad/ui/jobs/my-service/deployments the stats are not available because of a Security Content policy violation.

This header is responsible. We can't load a content from a different address than the nomad server itself :

nomad/command/agent/http.go

Line 253 in 52598bf

header.Add("Content-Security-Policy", "default-src 'none'; connect-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'none'; frame-ancestors 'none'")

Is this header relevant?

Reproduction steps

Just open the url and open the browser console
Chrome 61 and Firefox 58

Browser JS console

Content Security Policy: The page’s settings blocked the loading of a resource at http://10.32.25.105:4646/v1/client/allocation/b0d428e6-dd34-333f-e7ab-ae2a2172d127/stats (“connect-src http://nomad”)

[DingoEatingFuzz]

Great find! That header is only used in prod, so it slipped through the cracks in local testing and ui acceptance tests.

The header is indeed relevant and was borrowed from Vault, which appropriately locks down everything.

The important part is connect-src 'self' which more or less says the web page should not allow websockets, fetch, or XHRs from any origin other than its own.

The other half of CORS should still be a-okay:

nomad/command/agent/http.go

Lines 41 to 45 in 344d029

	allowCORS = cors.New(cors.Options{
	AllowedOrigins: []string{"*"},
	AllowedMethods: []string{"HEAD", "GET"},
	AllowedHeaders: []string{"*"},
	})

I'll have a PR once I test this end to end.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.