cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
beate
Fluorite | Level 6 beate
Fluorite | Level 6
Go to Solution

SAS web server Content Security Policy blocks access to outside sources

Posted 01-20-2022 10:58 AM (2262 views)

After an update of a SAS GRID server to SAS Version 9 TS1M7, we are facing the problem that the Content Security Policy for the SAS web server was updated to no longer allow any outside sources, such as JavaScript libraries commonly used in web development.

beate_0-1642693615327.png

As access to these sources is necessary for our web application to continue to function, we placed a .htaccess file in the root of our project's htdocs folder that should allow access. Testing this approach was working fine in a windows based environment that uses Apache instead of SAS web server. The production environment is Unix. Here is the contents of our .htaccess file:

Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' unsafe-inline' https:; style-src 'unsafe-inline' https:; connect-src 'self';"

Access to outside sources continues to be denied, and we discovered that the httpd.conf file used by SAS server is set such that .htaccess files are ignored. Therefore we updated httpd.conf as below to allow the use of .htaccess files on the SAS web server:

<Directory "web-server-root/htdocs">
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride All
</Directory>

We tried the above with and without double quotes. The SAS web server continues to ignore the .htaccess file (we did some further testing to confirm that by using a simple Redirect).

 

Questions:

  1. Is there another way in the SAS web server administration to set the Content Security Policy? 
  2. How can we configure SAS web server to allow .htaccess a very common feature used with web servers that should be available to users?

Please note that with the previous SAS install, we never encountered any of these problems.

Thank you for your feedback!

Beate

 

1 ACCEPTED SOLUTION

Accepted Solutions
AllanBowe
Barite | Level 11 AllanBowe
Barite | Level 11

Re: SAS web server Content Security Policy blocks access to outside sources

Posted 01-21-2022 04:37 AM (2154 views)  |   In reply to beate

Hi Beate,

 

It is very common for a SAS server to block access to external sources.   @DavidStern did a very nice writeup on this topic recently:  https://communities.sas.com/t5/SAS-Communities-Library/All-about-CORS-and-CSRF-for-developing-web-ap...

The simple solution for this is to embed your (tested, verified) external scripts INSIDE your SAS environment (eg `/var/www/html` on Viya 3.5 or the `htdocs` folder on 9.4)

This is far preferable to allowing access to external scripts.  Even if you trust the source (jquery) you still have a risk of "man in the middle" attacks (unless you are using an integrity checksum).  More info: https://sasjs.io/security/#subresource-integrity

A final option (not relevant here as you have server access) for serving web content internally is to embed it in SAS itself, eg as a 'streaming app':  https://sasapps.io/sas-streamed-apps



/Allan
SAS Challenges - SASensei
MacroCore library for app developers
SAS networking events (BeLux, Germany, UK&I)
Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs

View solution in original post

2 REPLIES 2
AllanBowe
Barite | Level 11 AllanBowe
Barite | Level 11

Re: SAS web server Content Security Policy blocks access to outside sources

Posted 01-21-2022 04:37 AM (2155 views)  |   In reply to beate

Hi Beate,

 

It is very common for a SAS server to block access to external sources.   @DavidStern did a very nice writeup on this topic recently:  https://communities.sas.com/t5/SAS-Communities-Library/All-about-CORS-and-CSRF-for-developing-web-ap...

The simple solution for this is to embed your (tested, verified) external scripts INSIDE your SAS environment (eg `/var/www/html` on Viya 3.5 or the `htdocs` folder on 9.4)

This is far preferable to allowing access to external scripts.  Even if you trust the source (jquery) you still have a risk of "man in the middle" attacks (unless you are using an integrity checksum).  More info: https://sasjs.io/security/#subresource-integrity

A final option (not relevant here as you have server access) for serving web content internally is to embed it in SAS itself, eg as a 'streaming app':  https://sasapps.io/sas-streamed-apps



/Allan
SAS Challenges - SASensei
MacroCore library for app developers
SAS networking events (BeLux, Germany, UK&I)
Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs
beate
Fluorite | Level 6 beate
Fluorite | Level 6

Re: SAS web server Content Security Policy blocks access to outside sources

Posted 01-21-2022 10:07 AM (2098 views)  |   In reply to AllanBowe

Hi Allan:

Thank you for your response.

I do not have direct access to the web server, and any update of JavaScript and CSS sources must be installed by a person who has access. This includes any custom JavaScript that I write to support this (internal) web application. While I can send scripts that are dynamically generated or more frequently updated to address change requests with the application server's response (to _webout), I have to rely on a set of core scripts on the web server. All external sources that I am referencing use an integrity checksum.

Interestingly this restriction was not implemented with the previous SAS installations.

At this point I have to pursue the route to install all external sources on the SAS web server.

Thank you again!

Beate

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • ‎01-20-2022 10:58 AM
  • 2263 views
  • 3 likes
  • 2 in conversation