When a web browser makes a request for a resource, it typically adds an HTTP header, called the Referer header, indicating the URL of the resource from which the request originated. If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
To troubleshoot this issue, perform the following steps:
Stop Tomcat.
Open the /var/opt/novell/iManager/nps/WEB-INF/web.xml file.
Under <description>Novell's Management Console</description>, add the following:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>https://164.99.1.1:8443</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,DELETE,OPTIONS,PUT</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
NOTE:The param-value is the value for the allowed URL. In this case, the param-value tag contains the iManager server details.
Start Tomcat.
Additionally, you can also add custom referrer header in the web.xml file for the existing filter class AntiCsrfServletFilter. For example, you can add the init parameters with param-name referrer-header as shown in the below sample xml file:
<filter>
<filter-name>iManagerAntiCsrfFilter</filter-name>
<display-name>iManagerAntiCsrfFilter</display-name>
<description>Filter to prevent Cross Site Request Forgeries</description>
<filter-class>com.novell.emframe.fw.filter.AntiCsrfServletFilter</filter-class>
<init-param>
<param-name>Referrer-Policy</param-name>
<param-value>"As per document link referral-policy can be added here"</param-value>
</init-param>
</filter>
For a list of all the custm referrer header, see Referrer-Policy.