MFT Command Center and Internet Server issue setting Content-Security-Policy in the HTTP header
Article ID: KB0073949
Updated On:
| Products | Versions |
|---|---|
| TIBCO Managed File Transfer Command Center | 8.3.0 |
Description
After applying hotfix 8.3.0_HF-001 or 8.3.0_HF-002, the ContentSecurityPolicy was not added to the HTTP Response Header. The Hotfix 8.3.0_HF-001 or 8.3.0_HF-002 installation incorrectly updated the web.xml.
The highlighted entry was missing the headerName value. So the ContentSecurityPolicy header was not sent.
After installing the hotfix, the Content-Security-Policy did not include the headerName param-value.
<filter>
The highlighted entry was missing the headerName value. So the ContentSecurityPolicy header was not sent.
After installing the hotfix, the Content-Security-Policy did not include the headerName param-value.
<filter>
<filter-name>ContentSecurityPolicy</filter-name>
<filter-class>com.proginet.sift.filter.ResponseHeaderFilter</filter-class>
<init-param>
<param-name>headerName</param-name>
<param-value />
</init-param>
<init-param>
<param-name>headerValue</param-name>
<param-value>script-src 'self' 'unsafe-inline'; object-src 'self'; img-src blob: data: 'self'; style-src 'self' 'unsafe-inline'; default-src 'self'</param-value>
</init-param>
</filter>
<filter-class>com.proginet.sift.filter.ResponseHeaderFilter</filter-class>
<init-param>
<param-name>headerName</param-name>
<param-value />
</init-param>
<init-param>
<param-name>headerValue</param-name>
<param-value>script-src 'self' 'unsafe-inline'; object-src 'self'; img-src blob: data: 'self'; style-src 'self' 'unsafe-inline'; default-src 'self'</param-value>
</init-param>
</filter>
Environment
All supported environments
Resolution
There are two resolutions to this issue. Either resolution must be done to each Internet Server or Command Center that installed hotfix 8.3.0_HF-001 or 8.3.0_HF-002.
<filter>
<filter-name>ContentSecurityPolicy</filter-name>
<filter-class>com.proginet.sift.filter.ResponseHeaderFilter</filter-class>
<init-param>
<param-name>headerName</param-name>
<param-value>Content-Security-Policy</param-value>
</init-param>
<init-param>
<param-name>headerValue</param-name>
<param-value>script-src 'self' 'unsafe-inline'; object-src 'self'; img-src blob: data: 'self'; style-src 'self' 'unsafe-inline'; default-src 'self'</param-value>
</init-param>
</filter>
Resolution 1: Install hotfix 8.3.0_HF-003 or later. Note that at the time this advisory was written, hotfix 8.3.0_HF-003 was not GA.
Resolution 2: Replace the Content-Security-Policy headerName param-value with this line:
<param-value>Content-Security-Policy</param-value>
Then you must restart the Internet Server or Command Center.
Here is an example of the ContentSecurityPolicy after the change has been made. <filter>
<filter-name>ContentSecurityPolicy</filter-name>
<filter-class>com.proginet.sift.filter.ResponseHeaderFilter</filter-class>
<init-param>
<param-name>headerName</param-name>
<param-value>Content-Security-Policy</param-value>
</init-param>
<init-param>
<param-name>headerValue</param-name>
<param-value>script-src 'self' 'unsafe-inline'; object-src 'self'; img-src blob: data: 'self'; style-src 'self' 'unsafe-inline'; default-src 'self'</param-value>
</init-param>
</filter>
Issue/Introduction
MFT Command Center and Internet Server issue setting Content-Security-Policy in the HTTP header
Feedback
Yes
No
Powered by
