SecurID prompt does not appear using Chrome and Firefox after adding a Security Policy on RSA Agent 8.0.3 for Apache web server

2 years ago

Originally Published: 2020-10-16

Article Number

000043450

Applies To

RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Agent for Web
RSA Version/Condition: 8.0.1 for Apache Web Server
Platform: Linux
O/S Version: Red Hat Linux 7.3

Issue

SecurID prompt does not appear using Chrome and Firefox after adding a content Security Policy on a web server enabling two-factor authentication using RSA Agent 8.0.3 for Apache.

Header always set Content-Security-Policy "script-src 'self'; object-src 'self'" and user launches the Token Authentication page in Chrome or Mozilla, the page is blank with below error reported in the browser:
Refused to evaluate a string as JavaScript because 'unsafe-inline' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'". and relaxing the unsafe-inline policy as below able to go to the authentication page,
Header always set Content-Security-Policy "script-src 'self' 'unsafe-inline'; object-src 'self'"
but after entering the token credentials and submit, again error occurs stating to allow unsafe-eval,. Below is the error in console:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

Cause

RSA Authentication Agent for Apache is shipped with several html templates. These templates contain unsafe java script lines. This is documented in the AAAPC-533.

Resolution

This issue has been documented in the defect AAAPC-533, and it is resolved in a newer build of RSA Authentication Agent 8.0.4 for Apache for Web.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles