IBM Support

A new security feature in ClearQuest Web may restrict HTML content from displaying correctly

Fix readme


Abstract

To protect against Cross-Frame Scripting attacks, ClearQuest Web provides a security check to prevent HTML content from being displayed on untrusted hosts. Some OSLC integrations might not work properly when this security feature is enabled.

Content

Cross-Frame Scripting (XFS) is a client-side security issue whereby attackers exploit bugs in popular web browsers or vulnerabilities on HTML pages to access private data from a third-party website.  For a full description of the Cross Frame Scripting issue, see the web page at https://www.owasp.org/index.php/Cross_Frame_Scripting. ClearQuest Web protects against this vulnerability by using a security control that relies on the "Referrer" header field for the HTTP request to verify the origin of incoming requests before processing.  In some cases, this approach can be overly restrictive, causing requests from valid clients to be blocked. 

Below is a list of known issues related to the ClearQuest Web XFS security behavior.


Related information

Configuring ClearQuest Web content with other OSLC serv
Why don't I see CQWeb content in my OSLC dialog?
OSLC secure content does not display in unsecured consu
OWASP Cross-Frame Scripting

Document information

More support for: Rational ClearQuest
Web Server (7.1)

Software version: 7.1.2.6, 7.1.2.7, 8.0.0.2, 8.0.0.3

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1588252

Modified date: 21 June 2012