IBM Security Verify

Hi,

I am passing the sharepoint url to in frame-ancestors for virtual host websocket application as below.

http-rsp-header = content-security-policy:TEXT{frame-ancestors 'self' *.xxx-group.com *.intapp.eu xxxgroup.sharepoint.com xxxgroup.sharepoint.com}

but webseal is returning below error.

HTTP/1.1 400 Bad Request

can any one suggest what I am doing wrong here. this error is coming when application team is injecting the iframe from sharepoint.

Best Regards,

------------------------------
prem Kumar
------------------------------

What makes you think the http-rsp-header entry has anything to do with the 400 error return code?

The former is a setting that changes a *response* header from WebSEAL to the browser.
The 400 error may be from WebSEAL, but it might also be from the backend, in response to a *request* from the browser.

First thing I'd do is turn on pdweb.snoop trace and capture the request/response showing the 400. That may give some clues as to:

 - whether or not it is WebSEAL or the backend server that is returning 400
 - what about the request might be unacceptable.

------------------------------
Shane Weeden
IBM
------------------------------

Original Message:
Sent: Fri January 20, 2023 09:22 AM
From: prem Kumar
Subject: http-rsp-header = content-security-policy

Hi,

I am passing the sharepoint url to in frame-ancestors for virtual host websocket application as below.

http-rsp-header = content-security-policy:TEXT{frame-ancestors 'self' *.xxx-group.com *.intapp.eu xxxgroup.sharepoint.com xxxgroup.sharepoint.com}

but webseal is returning below error.

HTTP/1.1 400 Bad Request

can any one suggest what I am doing wrong here. this error is coming when application team is injecting the iframe from sharepoint.

Best Regards,

------------------------------
prem Kumar
------------------------------