The Horizon Connection Server must enable the proper Content Security Policy directives.

An XCCDF Rule

Description

<VulnDiscussion>The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server has default CSP directives that block XSS attacks, enable x-frame restrictions and more. If the default configurations are overridden, the protections may be disabled even though the CSP itself is still enabled. This default policy must be validated and maintained over time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-246910r768690_rule
Severity: Medium
References: CCI-000366
Updated: about 1 year ago

On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf".

If a file named "locked.properties" does not exist in this path, this is NOT a finding.

Open "locked.properties" in a text editor. Find and remove the following settings:
content-security-policy
content-security-policy-newadmin
content-security-policy-portal
content-security-policy-rest

Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.

The Horizon Connection Server must enable the proper Content Security Policy directives.

Description

Remediation - Manual Procedure