The Horizon Connection Server must enable the Content Security Policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246909	HRZV-7X-000028	SV-246909r768687_rule		Medium

Description
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server defines the policy and the client browser enforces the policy. This feature is enabled by default but must be validated and maintained over time.

Description

The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server defines the policy and the client browser enforces the policy. This feature is enabled by default but must be validated and maintained over time.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50341r768685_chk )
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "enableCSP" setting. If there is no "enableCSP" setting, this is NOT a finding. If "enableCSP" is set to "false", this is a finding.

Fix Text (F-50295r768686_fix)
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove the following line: enableCSP=false Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.