To protect against Cross-Frame Scripting attacks, ClearQuest Web provides a security check to prevent HTML content from being displayed on untrusted hosts. Some OSLC integrations might not work properly when this security feature is enabled.
Cross-Frame Scripting (XFS) is a client-side security issue whereby attackers exploit bugs in popular web browsers or vulnerabilities on HTML pages to access private data from a third-party website. For a full description of the Cross Frame Scripting issue, see the web page at https://www.owasp.org/index.php/Cross_Frame_Scripting. ClearQuest Web protects against this vulnerability by using a security control that relies on the "Referrer" header field for the HTTP request to verify the origin of incoming requests before processing. In some cases, this approach can be overly restrictive, causing requests from valid clients to be blocked.
Below is a list of known issues related to the ClearQuest Web XFS security behavior.
- When upgrading from a previous version of ClearQuest Web, existing integrations with other OSLC service providers might not work properly. To update your server configuration files, see technote 1584532 Configuring ClearQuest Web content with other OSLC service providers.
- If you currently have desktop applications that can connect to ClearQuest Web as an OSLC consumer, you might need to make some configuration changes to resolve the problem. For details, see technote 1587046 Why don’t I see CQWeb content in my OSLC dialog?
- Due to security restrictions, Internet Explorer and Firefox do not pass the Referer header when ClearQuest content is served within an unsecured iframe while the parent frame is secured. For additional information, see technote 1586892 OSLC secure content does not display in unsecured consumer frame.
16 June 2018