The Horizon Connection Server must enable the Content Security Policy.

An XCCDF Rule

Description

<VulnDiscussion>The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server defines the policy and the client browser enforces the policy. This feature is enabled by default but must be validated and maintained over time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-246909r768687_rule
Severity: Medium
References: CCI-000366
Updated: about 1 year ago

On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf".

Open "locked.properties" in a text editor. Remove the following line:

enableCSP=false
Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.

The Horizon Connection Server must enable the Content Security Policy.

Description

Remediation - Manual Procedure