FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12688 questions

15067 answers

24145 comments

47110 members

0 votes
120 views 2 comments
by

All request that go through the RMS Remote HTTPs API automatically get the following CSP (Content-Security-Policy) Header: 

Content-Security-Policy: frame-ancestors 'self' rms.teltonika-networks.com *.rms.teltonika-networks.com

This header is even set if the response from the target api already contains a CSP Header (in that case the CSP Header is added twice). Embedding a website that is hosted using RMS Remote HTTPs in an iFrame is impossible due to the fact, that the CSP does not match. Is there any way to prevent the RMS Remote HTTPs API to add the CSP Header to requests? (e.g. if the header is already set?)

by
Hello,

Reply from RMS team:

"CSP headers are no longer set for /account/authorize endpoint in Production RMS environment.

Removing the CSP headers from all RMS pages would introduce a security risk because other websites could impersonate RMS using iframes."

Best regards,
by
Thank you for the response. I do understand that this poses a security risk if no CSP header is set at all. That's why my proposal would be that if the server (my own API endpoint) sends the CSP header already, the RMS should not add it's own CSP header.

My setup is as follows:

iFrame -> RMS HTTP API -> Teltonika Router -> Server

In case the Server sets the CSP header already I am expecting the RMS to let the response pass without adding it's own additional CSP header. Is that possible?

1 Answer

0 votes
by
Hello,

Thank you for contacting us.

The issue has been reported to the RMS team.

Once there are further developments, I will provide them here.

Best regards,