Question & Answer
Question
How do I configure the ClearQuest Report Server for Crystal Reports to protect against cross-frame scripting attacks?
Answer
Cross-Frame Scripting (XFS) is a client-side security issue whereby attackers exploit bugs in popular web browsers or vulnerabilities on HTML pages to access private data from a third-party website. For a full description of the Cross Frame Scripting issue, see the web page at https://www.owasp.org/index.php/Cross_Frame_Scripting. By default, content returned by the Report Server for Crystal Reports can be embedded without restriction by web applications hosted on other web servers. Use the following instructions to restrict the web domains that can embed content from the Report Server for Crystal Reports.
1) Edit the Report Server for Crystal Reports configuration file
<WebSpherProfileDir>/installedApps/WebSphereAppServer-cell/RationalClearQuestWebReport.ear/CQWebReportModule.war/WEB-INF/classes/crconfiguration.properties
2) Add or update the property named ReferrerDomains, and provide a semicolon separated list of server domain names that are permitted to embed content from the Report Server for Crystal Reports. For example:
ReferrerDomains=www.ibm.com;myclearquestweb.com
3) Stop and restart IBM WebSphere Application Server to activate the configuration changes.
The ClearQuest Web client uses a similar approach to guard against XFS attacks. Some considerations and known issues are described in the Related Information links below.
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21590691