search cancel

Duplicate Headers created

book

Article ID: 214389

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

When adding in custom headers, they are sent on the first log in but the Content-Security-Policy is sent twice but at a much less strict setting.  So for example, I set the CSP to be the following:

 

 

If I remove the custom headers and leave blank, the CSP that is child-src 'self' still gets returned.  

 

So according to our security group, we should be only seeing one CSP returned back not two.  It does appear that it's hard coded somewhere and getting returned back.  Should the custom headers not over ride the default?

Environment

Release : 20.2

Component : PERFORMANCE MANAGEMENT INTEGRATIONS

Resolution

If the SSO setting Allow Performance Center in a frame is set to Disabled per:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/performance-management/20-2/securing/update-performance-center-website-settings/configure-web-browser-session-settings-using-ssoconfig.html

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/performance-management/20-2/securing/single-sign-on/update-single-sign-on-website-settings.html

Then the Content-Security-Policy: child-src 'self' is added to sign-in.jsp and change-passwd.jsp and will always be included if Allow Performance Center in a frame is set to Disabled.

This is header is currently planned to be removed in a 21.2.x release, note that this is subject to change and there are no release dates that can be provided at this time.