SAP Knowledge Base Article - Public

2721970 - Enabling Browser Side Cross Site Scripting Protections in SAP SuccessFactors Learning.

Symptom

How to enable Browser Side Cross Site Scripting Protections in SAP SuccessFactors Learning

Environment

Successfactors Learning , Learning Managment System

Resolution

What is XSS?

--> XSS is a common attack against a web-based application that allows an attacker to execute code on the vulnerable website.

What is CSRF?


--> Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In affect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.


Enabling Browser Side Cross Site Scripting Protections in SAP SuccessFactors Learning.

--> Go to SAP SuccessFactors Learning Administration and then go to  System Admin > Configuration  > System Configuration .
--> Edit WEB_SECURITY.
--> Set browserXSSFilterHeader.enabled to true.
--> If you want to exclude any URL from sending the header, add them in browserXSSFilterHeader.excludeURI.
Click Apply Changes.

Also refer below KBA for more information.

https://help.sap.com/viewer/05c999cdc7954be893bc497b2d5e6364/1708/en-US/a07ba5430f954246aaa834ffb8b2aa5e.html

Keywords

browserXSSFilterHeader.enabled , WEB_SECURITY , XSS , CSRF , Cross-Site Request Forgery (CSRF) , Cross-Site. , KBA , LOD-SF-LMS-COR , LMS Core - Items, Catalog, Curricula , Problem

Product

SAP SuccessFactors Learning all versions