Rule ID
SV-246910r879887_rule
Version
V1R2
CCIs
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server has default CSP directives that block XSS attacks, enable x-frame restrictions and more. If the default configurations are overridden, the protections may be disabled even though the CSP itself is still enabled. This default policy must be validated and maintained over time.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the following settings: content-security-policy content-security-policy-newadmin content-security-policy-portal content-security-policy-rest If any of the above settings are present, this is a finding.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find and remove the following settings: content-security-policy content-security-policy-newadmin content-security-policy-portal content-security-policy-rest Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.