IBM Security Verify

 View Only
Expand all | Collapse all

http-rsp-header = content-security-policy

  • 1.  http-rsp-header = content-security-policy

    Posted Fri January 20, 2023 09:26 AM

    I am passing the sharepoint url to in frame-ancestors for virtual host websocket application as below.

    http-rsp-header = content-security-policy:TEXT{frame-ancestors 'self' * *}

    but webseal is returning below error.

    HTTP/1.1 400 Bad Request

    can any one suggest what I am doing wrong here. this error is coming when application team is injecting the iframe from sharepoint.

    Best Regards,

    prem Kumar

  • 2.  RE: http-rsp-header = content-security-policy

    Posted Mon January 23, 2023 02:00 AM

    What makes you think the http-rsp-header entry has anything to do with the 400 error return code?

    The former is a setting that changes a *response* header from WebSEAL to the browser.
    The 400 error may be from WebSEAL, but it might also be from the backend, in response to a *request* from the browser.

    First thing I'd do is turn on pdweb.snoop trace and capture the request/response showing the 400. That may give some clues as to:

     - whether or not it is WebSEAL or the backend server that is returning 400
     - what about the request might be unacceptable.

    Shane Weeden