Security section

The security section contains two fields that are related to clickjacking prevention. These settings help prevent malicious sites from attempting to trick users into clicking on something other than what they think they are clicking on. See https://en.wikipedia.org/wiki/Clickjacking.

The values, if provided, are used in this section of FsOptivaWeb/Web.config: 


<system.webServer> 
  <httpProtocol>
    <customHeaders> 
     <add name="X-Frame-Options" value="ALLOW-FROM https://mingleinteg01-portal.mingledev.infor.com"/>      
     <add name="Content-Security-Policy" value="frame-ancestors 
      https://mingleinteg01-portal.mingledev.infor.com https://optivadev.infor.com" />
     <add name="P3P" value="CP=Infor doesn't have any p3p policies." />
    </customHeaders>
  </httpProtocol> 
</system.webServer>
Component Description
X-Frame-Options Top Site URL This is a single URL identifying the top-level URL for the site and application hosting the Optiva application.

The value is used as an X-Frame-Options ALLOW-FROM attribute value in the configuration file. Do not include the ALLOW-FROM part in the PLM Process Configuration Settings dialog; just specify the URL.

Content Security Policy 2 URLs This field contains one or more URLs. Each URL is separated by a single space. The URL identifies all of the sites and application names in the hierarchy in which Optiva is expected to be running.

Suppose Optiva web is hosted by one site on server A. The application is running within the Infor Ming.le CE portal. The portal is hosted by another site on server B. Then, you must specify the URLs for both the Optiva web client and the portal.

Do not include the “frame-ancestors” part seen in the configuration section when using the PLM Process Configuration Settings dialog; just specify the URLs.

The P3P entry is added automatically in this scenario:

  • if an X-Frame-Options value is entered
  • and
  • the host name that is used in this value is different from the auto-detected or custom host name that is specified in the dialog. This is a hard-coded value.

You can enter values in none, one, or both of the X-Frame-Options and CSP2 fields. The default values are blank. The PLM Process CE Authentication application does not know the URL for the portal within which Optiva eventually is run. Entries are only added to the configuration file for the specified value (i.e., no entries containing empty values are written).

The two values together provide fairly good protection against clickjacking attempts. Browser support is sketchy at best. One browser can support one header, but not the other or it can support a header, but not all of its attributes. This is the reason why both fields should be used for the greatest level of coverage across all browsers. There can still be gaps in the support.