Configuring custom headers in an HTTP response from the OAuth 2.0 client

As an administrator, you can configure Content Security Policy (CSP) headers in an HTTP response from the /authorize and /consent-decision endpoints. Custom headers help mitigate access issues with iframes in a multi-domain flow. If the administrator does not add CSP headers, users see browser errors when they try to open an integrated BMC application in an iframe; for example, users cannot open BMC Helix Virtual Agent in an iframe because they see CSP errors.

Before configuring custom headers, review the following list of CSP terms: 

• Content Security Policy—Declarative policy composed of a set of directives that lets the authors or administrators of a web application inform the client about the sources from which the application expects to load resources.
  For more information, see Content Security Policy.

• Header—HTTP header that can be used in an HTTP response and that does not relate to the content of the message.
  For more information, see Response header.

• Value—Value of the CSP header or CSP directive that specifies a source from which resources may be loaded.
  For more information, see CSP source values.

• Origin—Corresponds to a value in the 'Origin' header of an HTTP request. If the HTTP request contains an 'Origin' header, the value of the 'Origin' header set for the CSP header should as the same as the HTTP request header or EMPTY. If the value differs, the CSP header values specified in the Administration console are not displayed in the HTTP  response; for example, origin: https://app1.bmc.com);
  'Origin' coincides with the same-origin policy—a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin.
  For more information, see Origin.

To add custom headers

1. In the administrator console, select OAuth > Clients.
2. Register or edit a client.

3. In the CSP Headers section, click Add Header and add the required headers.
   The following table describes the valid values for the headers:

   Header (required)	Value (required)	Origin (optional)	Example
   Content-Security-Policy	frame-ancestors frame-src object-src script-src worker-src	To apply the policy to all requests, leave this field empty. To exclude the policy for specific requests, enter the requests in the field.	HTTP response with the Content-Security-Policy header: frame-ancestors value frame-ancestors  <source>  [<source>  <source>  …] E.g. frame-ancestors  http://*.example.com mail.example.com:443 https://store.example.com/ 'self'  HTTP response with the Content-Security-Policy header: frame-src value frame-src  <source>  [<source>  <source>  …] E.g. frame-src https://example.com https://*.example.com:12/path/to/file.js *.example.com  mail.example.com:443 https://local.source.com:9443 HTTP response with the Content-Security-Policy header: object-src value object-src  <source>  [<source>  <source>  …] E.g. - object-src 'self' https://source-host.com:9443/app1  http://some-host1.com https://some-host2.com:30443 *.example.com - object-src 'none' - object-src 'self' blob: HTTP response with the Content-Security-Policy header: script-src value script-src  <source>  [<source>  <source>  …] E.g. - script-src 'self' https://source-host.com:9443/app1  http://some-host1.com:9080 https://some-host2.com 'nonce-2726c7f26c' - script-src 'none' - script-src 'self' blob: HTTP response with the Content-Security-Policy header: worker-src value worker-src  <source>  [<source>  <source>  …] E.g. - worker-src 'self' https://source-host.com:9443/app1  http://some-host1.com https://some-host2.com mail.example.com:443 - worker-src 'none' - worker-src 'self' blob:
   Access-Control-Allow-Origin	* http://example.com		HTTP response with the Access-Control-Allow-Origin header Access-Control-Allow-Origin: http://hostname:port Cache-Control: no-store Connection: keep-alive Content-Length: 2069 Content-Security-Policy: script-src 'self' https://www.google.com https://www.gstatic.com 'nonce-hash value'; object-src 'none'; worker-src 'self' blob:; frame-ancestors 'self' Content-Type: text/html;charset=UTF-8 Date: Tue, 20 Dec 2022 14:17:40 GMT Keep-Alive: timeout=20 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Important: In this example, the Content-Security-Policy header was not added to the configuration in the administrator console. However, its value is shown by default.
   X-Frame-Options	DENY SAMEORIGIN		HTTP response with the X-Frame-Options header Cache-Control: no-store Connection: keep-alive Content-Length: 2069 Content-Security-Policy: script-src 'self' https://www.google.com https://www.gstatic.com 'nonce-hash value'; object-src 'none'; worker-src 'self' blob:; frame-ancestors 'self' Content-Type: text/html;charset=UTF-8 Date: Tue, 20 Dec 2022 14:19:52 GMT Keep-Alive: timeout=20 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Important: In this example, the Content-Security-Policy header was not added to the configuration in the administrator console. However, its value is shown by default.

5. Save your changes.