IBM Cognos Application Firewall validation is enforced on URLs using the following rules.
Fully qualified, or absolute URLs:
protocol://host[:port]/path[?query]
Where protocol is either ‘http’ or ‘https’ and the host is validated against the valid domain list, which is specified by the Administrator in IBM Cognos Configuration. For more information, see the Installation and Configuration Guide.
URLs relative to the C8 installation web root:
/<install root>/.*
Where <install root> is the gateway file path, taken from the Gateway URI from Cognos Configuration Tool. For example, /cognos8/ps/portal/images/.
One of the following specifically allowed URLs:
about:blank (case insensitive)
JavaScript:window.close() (case insensitive, with or without trailing semi-colon)
JavaScript:parent.close() (case insensitive, with or without trailing semi-colon)
JavaScript:history.back() (case insensitive, with or without trailing semi-colon)
parent.cancelErrorPage() (case insensitive, with or without trailing semi-colon)
doCancel() (case insensitive, with or without trailing semi-colon)
In addition, an advanced configuration setting, RSVP.RENDER.VALIDATEURL, can be used to specify whether these rules are applied to values specified by any URL values contained within a report specification. CAF must be enabled for the RSVP.RENDER.VALIDATEURL setting to take effect.