Security headers preventing virtual app from working

Security headers preventing virtual app from working

Some sites have some headers that help prevent where data can be displayed.  They might look like this one from the adp.com site.

X-Content-Security-Policy=default-src 'self' *.adp.com *.google.com ; frame-src * ; img-src * ; options inline-script eval-script; frame-ancestors https://*.adp.com ;

Content-Security-Policy=default-src 'self' *.adp.com *.google.com ; frame-src * ; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src https://*.adp.com; style-src 'self' 'unsafe-inline'; img-src * ;

These prevented the page from running in a virtual webapp.  To fix this, we were able to modify the headers on the webapp.  The header rule looked like this:

Header Rule #1:
$Content-Security-Policy
.*~off

Header Rule #2:
$X-Content-Security-Policy
.*~off


This basically set the header to "off" and allowed the data to display correctly.

An explanation of these headers can be found here


If you want to maintain the security, you could use a header rule to change:

Content-Security-Policy:default-src 'self' *.adp.com *.google.com ; frame-src * ; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src https://*.adp.com; style-src 'self' 'unsafe-inline'; img-src * ;

to something like this:

Content-Security-Policy:default-src 'self' *.adp.com *.stone-ware.com *.google.com ; frame-src * ; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src https://*.stone-ware.com https://*.adp.com; style-src 'self' 'unsafe-inline'; img-src * ;

    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Change Reset Password Button Text

        Change the text of the "Reset Password" button on the UW Login Page How to change the text of the Reset Password button on the Login Page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants ...

      • Remove Reset Password Button From Login Page

        Remove the Reset Password Button from the Login Page How to remove the Reset Password button from the Unified Workspace login page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants Expand ...

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        As of January 31st 2024, Lenovo Unified Workspace (formerly Stoneware WebNetwork) is no longer supported. This means that we no longer provide licenses, downloads, updates, patches, or technical assistance for this product. If you have any questions ...

      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

      • Related Articles

      • Security Headers

        As of Unified Workspace 7.0 HTTP Headers can be added to UW responses. We suggest adding the following Security Headers. Header Value Content-Security-Policy default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'; img-src 'self' data: ...

      • Tips for Setting Up Virtual Web Applications

        Tips for Setting Up Virtual Web Applications When setting up virtual web applications, it is possible that when the wizard completes, the web application does not function as expected.  In these situations, there are a few options that should be ...

      • Example of creating a virtual webApplication

        What are the steps to create a webapplication for a web site that is in our data center ?   Common information on creating a webapplication. Example application is called FootPrints and this application lives in customers data center.  x.x.x.x = the ...

      • Working with Binary Data in Report Services

        Quick Start Guide - Binary Data This tutorial is designed as a quick "How Do I Work With Binary Data" tutorial.  It walks through the steps necessary to upload an image to a database.  Every webNetwork 6.0 installation ships with a database called ...

      • Enable - Disable httpOnly security flag

        By default in 6.4 Java Applets are now disabled due to best practices of secure cookie handling. After upgrading to 6.4 and running the system check you may see an alert such as  :  "Due to a security configuration, Java Applets are not supported." ...