CA Service Management

 View Only
  • 1.  service catalog catalog browse page

    Posted Sep 16, 2019 02:32 AM
    Hello,

    we have a customization to show mostly used services on Request page. 
    this is working fine in 12.9 version now. But now we are seeing below error in chrome . But it is working fine in IE. any suggestions?

    Refused to frame 'http://******' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

    Thanks,
    Rajasheker Chittanur


  • 2.  RE: service catalog catalog browse page

    Broadcom Employee
    Posted Sep 16, 2019 06:37 AM
    Without knowing the details of your customization, my first suspicion is that this is due to the CORS filter that 17.2 uses for security. You'll find details about its standard settings in the patch notes from when it first arrived in 14.1; I suspect your customization is pointing to a frame served outside the main service:

    https://docops.ca.com/ca-service-management/14-1/en/implementing/implement-ca-service-management-14-1-04/post-install-tasks-for-ca-service-management-14-1-04/post-install-steps-for-ca-service-catalog#PostInstallStepsforCAServiceCatalog-EnableCORSfilter

    regards
    Iain


  • 3.  RE: service catalog catalog browse page

    Posted Sep 16, 2019 12:25 PM

    Hello,

     

    Thank you for the inputs. But, this didn't resolve our issue.

    Here is a little detailed explanation. We added below code to the catalog browse file,

     

    <xsl:if test="/xmlRoot/icuser/domainroles/COLLECTION/domainrole/role!='enduser'">

          <table cellpadding="1" cellspacing="0" width="100%">

                                       <tr>

                                                    <td height="15"></td>

                                      </tr>

              <tr>

                <td class="sectiontd_left" style="padding:0px;"><img src="images/spacer.png" width="4" height="20" border="0"/></td>

                <td class="sectiontd" width="100%" nowrap="true" style="padding:0px;"><xsl:value-of select="$xslcontent/bh_top_issues"/></td>

                <td class="sectiontd_right" style="padding:0px;"><img src="images/spacer.png" width="4" height="20" border="0"/></td>

              </tr>

                    </table>

                    <table cellpadding="0" cellspacing="0" width="100%">

             <tr width ="100%" height="175px" bgcolor="White">

                <td width ="100%"><iframe src="http://********:8081/Top10SOLV/top10issues.html" href="URL" width="100%" height="175" frameBorder="0" scrolling="no">Your Browser Is Not Supported</iframe></td>

             </tr>

                                     <script language="javascript">redirectURL()</script>

        </table>

                    </xsl:if>

     

    And this page which is in iframe tag is hosted on IIS.

     

    This is working perfectly fine in IE but we are getting below error in chrome,

     

    Screenshot from Chrome. (note: I don't have any extensions on chrome),

     

    Below is the screenshot from IE,

     

     

    If you need more detailed explanation- we can have a webex so that I can show everything in detail.

     

    Thanks and Regards,

     

    Rajasheker Chittanur 

    Service Catalog Development and Support
    Baker Hughes, a GE company

    Office: +1 713 879 4625| Mobile: +1 469 434 4384

    Rajasheker.Chittanur@bakerhughes.com

     






  • 4.  RE: service catalog catalog browse page

    Broadcom Employee
    Posted Sep 16, 2019 12:36 PM
    This message should be related to cross site scripting protections (XSS).
    This is why the previous poster mentioned the CORS filter in the web.xml file.
    However, it could also be browser patches that added additional protections and things like that.
    Plus since you are on 12.9 I'm not sure that there are any XSS protections added by the product itself in that old release.
    You mentioned that this started in Chrome, and I suspect this was after Chrome updated and not after installing anything in the product itself?
    More than likely the problem will start in IE as well once it becomes up to date on patches because XSS vulnerabilities are a big concern and there's been a lot of changes to protect against them. You may need to rewrite this customization.
    I suggest trying to google XSS protection added to Chrome and see what patch may have caused it and if specific examples are available from other people.
    I hope this helps a little,
    Scott Karbiner


  • 5.  RE: service catalog catalog browse page

    Posted Sep 16, 2019 04:35 PM

    Hi Scott,

     

    Thank you for the inputs. But our production is on 12.9 – where this is working on the same version of chrome. But, our test system which is in 17.2.02 – this is not working.

     

     

    Thanks and Regards,

     

    Rajasheker Chittanur 

    Service Catalog Development and Support
    Baker Hughes, a GE company

    Office: +1 713 879 4625| Mobile: +1 469 434 4384

    Rajasheker.Chittanur@bakerhughes.com

     






  • 6.  RE: service catalog catalog browse page
    Best Answer

    Broadcom Employee
    Posted Sep 16, 2019 04:44 PM
    Ahh.. that makes more sense. 12.9 and 17.2 are completely different so it would be like comparing apples and oranges. So basically you are starting from scratch in 17.2 and trying to display an embedded frame (if I understand properly). I have had one person report something similar and my recommendation was as follows:
    "
    What I can think of that would block this on the Tomcat side of catalog would be the cross site scripting (XSS) protection and clickjack protection. First (obviously) make sure that your links work outside of frames from the catalog box itself. If so, check web.xml under %USM_HOME%\view\webapps\usm\WEB-INF\ search for ClickjackFilter and you will see in that section both a limit for SAMEORIGIN, an OriginWrapperFilter and a CorsFilter which could block this.
    "
    They said that they modified these settings and it solved the problem. If this doesn't solve it for you then I'm really at a loss since there shouldn't be anything else caring about the origin.