403 Forbidden HTTP Error when loading web applications

Cause

A 403 Forbidden HTTP status code is got in response to a request from a client for a resource to indicate that the server can be reached and understood the request, but refuses to take any further action. In this case, the request to load the login page was received by the application server (Apache or Websphere) from the application (inspector, web reports), but it was rejected by the application server.

It was rejected because this behavior (using hyper links to open new inspector sessions) is not supported in the newer versions of the product. In previous versions, one could click on a wiki link and have a session open but after thorough architectural review, we realized that this could result in a security vulnerability where malicious exploit of a different website could execute unauthorized commands in these web applications. Consider a case where the user has 2 tabs open, the page with a hyperlink and an internet site which has malicious code. The internet site could potentially execute commands in inspector if you allow transferring access from one tab to another. This vulnerability is known as "Cross-Site Request Forgery" and it exploits the trust that a site has in a user's browser.

To fix this, we revoked the trust established via HTTP headers between different browser tabs. In all newer releases and the MDS web apps no longer trust the user's browser session and after this fix, the requests from a different domain are forbidden. This design change leads to the observations mentioned in the above segment.