No map display after cacti 1.2.11 upgrade

[tfagart]

Describe the bug After Cacti Upgrade above 1.2.11, gpsmap plugin does no more display maps. The KML/XML calculation is being done properly, but there is no way to display map. I guess this is linked to New Content-Security-Policy

To Reproduce Steps to reproduce the behavior:

1. Upgrade Cacti ton 1.2.11 or above
2. Click on maps tab
3. See blank page

Expected behavior See google maps

Plugin (please complete the following information):

• Version: 2.1
• Source: Gitub
• Identifer: [e.g. apt/yum package name or github commit ref]

Desktop (please complete the following information):

• OS: Windows 10
• Browser Firefox
• Version 75

[warnesj]

I had the same problem on my CentOS 7 server running Cacti 1.2.11 and the development version of gpsmaps when accessing the Maps tab from my Windows 10 system using Microsoft Edge 81.0.416.72 (Chromium). You are correct that it's related to the Content-Security-Policy. If you open your JavaScript console you should see the policy elements that are preventing the maps from displaying.

I tweaked a couple of Cacti core files to get things going again, so I don't know what would be the best way to fix this permanently.

Here were my changes:

./include/global.php At line 437 change, header("Content-Security-Policy: default-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' $script_policy 'unsafe-inline'; frame-ancestors 'self'; worker-src 'self'"); to header("Content-Security-Policy: default-src https://fonts.gstatic.com 'self'; img-src http://maps.gstatic.com https://maps.gstatic.com https://maps.googleapis.com 'self' data: blob:; style-src https://fonts.googleapis.com 'self' 'unsafe-inline'; script-src https://maps.googleapis.com 'self' $script_policy 'unsafe-inline'; frame-ancestors 'self'; worker-src 'self'");

./lib/html.php At line 2365 change, <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' <?php print $script_policy;?> 'unsafe-inline'; worker-src 'self'"> to <meta http-equiv="Content-Security-Policy" content="default-src https://fonts.gstatic.com 'self'; img-src http://maps.gstatic.com https://maps.gstatic.com https://maps.googleapis.com 'self' data: blob:; style-src https://fonts.googleapis.com 'self' 'unsafe-inline'; script-src https://maps.googleapis.com 'self' <?php print $script_policy;?> 'unsafe-inline'; worker-src 'self'">

[tfagart]

Hello,

Many thanks it works well. I don't know how to interact with Cacti Code, but I guess a pull request ?

Regards

Thomas

[BrunerHoes]

i don't have global.php in /usr/share/cacti/plugins/gpsmap/include and it's the same for html.phpi have cacti version 1.2.15

[netniV]

@BrunerHoes These are in the core directory, not the plugin.