The Horizon Connection Server must enable the Content Security Policy.
An XCCDF Rule
Description
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server defines the policy and the client browser enforces the policy. This feature is enabled by default but must be validated and maintained over time.
- ID
- SV-246909r768687_rule
- Version
- HRZV-7X-000028
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf".
Open "locked.properties" in a text editor. Remove the following line:
enableCSP=false
Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.