cheng_w
cheng_w
New Poster
‎03-17-2018
since ‎03-11-2018

Discussion Feed

Re: Configuring CSP for EUM injection

by cheng_w in End User Monitoring (EUM)
‎03-16-2018 12:28 AM
‎03-16-2018 12:28 AM
Awesome!   Thank you for your clarification and pointing out the potential pitfalls of this approach. ... View more

Re: Configuring CSP for EUM injection

by cheng_w in End User Monitoring (EUM)
‎03-14-2018 03:51 AM
‎03-14-2018 03:51 AM
Thanks for your reply once again, Amit.    We are looking to use this technique to allow inline script: https://www.w3.org/TR/CSP2/#script-src-hash-usage   The steps are as follows: 1) Turn on appdynamics EUM 2) Check webpage and copy entire injected <script> block's contents 3) Compute sha-512 hash of the (2) 4) Configure AP to add this static CSP http header, with hash computed in (3), to every page served like such:  Content-Security-Policy: script-src 'sha512-YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo='   Using this method, any changes in the  injected <script> block's contents will break our CSP whitelist, as browser will disallow non-whitelisted javascript.   We would like to know if these block is subjected to changes, assuming we do not modify the configuration of Browser Application via the appdynamics dashboard. Possible changes that we thought of are JS logic changes or auto version up of adrum.ext.hash.js etc.    I hope I was able to explain it clearer this time! Thank you!     ... View more

Re: Configuring CSP for EUM injection

by cheng_w in End User Monitoring (EUM)
‎03-11-2018 11:18 PM
‎03-11-2018 11:18 PM
Thanks Amit, appreciate your quick reply. I understand what you are saying and it clarified my second question. Could you also comment on my first question?   This is important to us because we are looking to whitelist script src in CSP by hashcode, so any changes to the injected <script> block will render this the setting invalid.    Will the injected script block change, i.e. JS logic updated or just a change of filename for  adrum.ext. hash .js,  thereby making my pre-computed hashcode invalid?   Thank you once again.   ... View more

Configuring CSP for EUM injection

by cheng_w in End User Monitoring (EUM)
‎03-11-2018 10:06 PM
1 Kudo
‎03-11-2018 10:06 PM
1 Kudo
Hello everyone. I have read this article but I have some concerns. Would appreciate any help!   For context, our current configuration is as follows: Browser Application (EUM) Configuration -  Configure and download JavaScript Agent - AppDynamics hosts all JavaScript Agent files from cdn.appdynamics.com Application Configuration - User Experience App Integration - JavaScript Injection Automatic JavaScript injection - DISABLED Configure JavaScript injection - MyJavaClassAndMethodRule - ENABLED With this, my pages are injected with a large script block that also loads adrum.ext.hash.js   Now for CSP, we want to be more restrictive and do not want to enable ` unsafe-inline`.  We would like to whitelist the JS file(s) to be loaded and also the injected script block by hashcode. My questions are:  Will the injected script block change, i.e. JS logic updated or just a change of filename for  adrum.ext. hash .js,  thereby making my pre-computed hashcode invalid? The injected script block is significantly different from the generated one from Browser Application [ Configuration -  Configure and download JavaScript Agent -  Save Config & Generate HTML Snippet]. Why is that so and how do I control the script block that is injected? Thank you so much for reading!  ... View more
Activity Feed for cheng_w
Public Statistics
Date Registered ‎03-11-2018 09:30 PM
Date Last Visited ‎03-17-2018 12:29 AM
Total Messages Posted 4
Total Kudos Received 1