Rule ID
SV-246909r879887_rule
Version
V1R2
CCIs
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server defines the policy and the client browser enforces the policy. This feature is enabled by default but must be validated and maintained over time.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "enableCSP" setting. If there is no "enableCSP" setting, this is NOT a finding. If "enableCSP" is set to "false", this is a finding.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove the following line: enableCSP=false Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.