Question

All request that go through the RMS Remote HTTPs API automatically get the following CSP (Content-Security-Policy) Header: 

Content-Security-Policy: frame-ancestors 'self' rms.teltonika-networks.com *.rms.teltonika-networks.com

This header is even set if the response from the target api already contains a CSP Header (in that case the CSP Header is added twice). Embedding a website that is hosted using RMS Remote HTTPs in an iFrame is impossible due to the fact, that the CSP does not match. Is there any way to prevent the RMS Remote HTTPs API to add the CSP Header to requests? (e.g. if the header is already set?)

It looks like the following two tickets/issues are related to this issue:

https://community.teltonika-networks.com/42770/oauth-authorize-blocked-content-security-policy-directive

https://community.teltonika-networks.com/31012/rms-connect-remote-http-s-change-iframe-security-issue

Comments

Hello,

Reply from RMS team:

"CSP headers are no longer set for /account/authorize endpoint in Production RMS environment.

Removing the CSP headers from all RMS pages would introduce a security risk because other websites could impersonate RMS using iframes."

Best regards,

---

Thank you for the response. I do understand that this poses a security risk if no CSP header is set at all. That's why my proposal would be that if the server (my own API endpoint) sends the CSP header already, the RMS should not add it's own CSP header.

My setup is as follows:

iFrame -> RMS HTTP API -> Teltonika Router -> Server

In case the Server sets the CSP header already I am expecting the RMS to let the response pass without adding it's own additional CSP header. Is that possible?

Answer 1

Hello,

Thank you for contacting us.

The issue has been reported to the RMS team.

Once there are further developments, I will provide them here.

Best regards,