FIX: Some browsers refuse to load SOC UI due to CSP blocking wss: protocol

[jertel]

On Safari:

Attempting to connect to manager

And just below that a red box with the message:

The operation is insecure.

Everything seems to work fine. But obviously the messages are concerning. They did not appear when connecting via Safari previous to the 2.3.61 upgrade. And if I connect using Google Chrome from the same system I see neither message.

My search of these discussions yielded no hits for the later message. And only one significant hint for the former. That discussion suggested that it indicates a WebSocket. Delving into the page using Safari's Web Inspector I see the following message in the alerts:

Refused to connect to wss://securityonion.lan/ws because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.

A couple more web searches indicates this is probably related to the WebKit Refined Content Security Policy. And checking the header for the SOC page I actually don't see any meta element containing:

<meta http-equiv="Content-Security-Policy" ...

So I'm imagining this is likely the issue. Was there a change to the SOC that might have caused this? Anything I can do to eliminate the message (sans changing browser)?

Thanks in advance for any assistance you can provide!

Originally posted by @wdhachfeld in https://github.com/Security-Onion-Solutions/securityonion/discussions/4914

[dougburks]

Security Onion 2.3.61 Hotfix for STENO and CSP Now Available! https://blog.securityonion.net/2021/07/security-onion-2361-hotfix-for-steno.html