IBM Support

A new security feature in ClearQuest Web may restrict HTML content from displaying correctly

Fix Readme


Abstract

To protect against Cross-Frame Scripting attacks, ClearQuest Web provides a security check to prevent HTML content from being displayed on untrusted hosts. Some OSLC integrations might not work properly when this security feature is enabled.

Content

Cross-Frame Scripting (XFS) is a client-side security issue whereby attackers exploit bugs in popular web browsers or vulnerabilities on HTML pages to access private data from a third-party website.  For a full description of the Cross Frame Scripting issue, see the web page at https://www.owasp.org/index.php/Cross_Frame_Scripting. ClearQuest Web protects against this vulnerability by using a security control that relies on the "Referrer" header field for the HTTP request to verify the origin of incoming requests before processing.  In some cases, this approach can be overly restrictive, causing requests from valid clients to be blocked. 

Below is a list of known issues related to the ClearQuest Web XFS security behavior.

[{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Web Server (7.1)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1.2.6;7.1.2.7;8.0.0.2;8.0.0.3","Edition":""}]

Document Information

Modified date:
16 June 2018

UID

swg21588252