apm sso inline javascript

Question

Hi all,&nbsp;
I'm trying to implement APM+SSO (form-based client-initiated) on a web-application.
The form detection seems to work fine, because I can see injected Javascript in the page source on client's browser, but I always get an error message "Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked" in Firefox or similar message in Google Chrome. The result is, that the normal form is displayed.&nbsp;
I configured the policy with this guide:
apm-authentication-single-sign-on-11-5-0&nbsp;
Any hints how I can resolve this issue?&nbsp;
Many thanks,
Philipp&nbsp;

kunjan_118660 · Answer

For Firefox, you can disable content security policy.. of course it brings down the security.&nbsp;&nbsp;
In address bar, type about:config  and search for security.mixed_content.block_active_content. Double-click it and change its value to false.&nbsp;&nbsp;
Or you can try Form based SSO, instead of the client initiated Form SSO.&nbsp;

kunjan · Answer

For Firefox, you can disable content security policy.. of course it brings down the security.&nbsp;&nbsp;
In address bar, type about:config  and search for security.mixed_content.block_active_content. Double-click it and change its value to false.&nbsp;&nbsp;
Or you can try Form based SSO, instead of the client initiated Form SSO.&nbsp;

philipp_stadler · Answer

I already tried form based SSO, but I could catch the logon form by URI, with client-initiated form-based I did it by header field (Referrer), which worked ok.
I think turning of security isn't a way to go for a public application.

regards,
Philipp

philipp_stadler · Answer

I already tried form based SSO, but I could catch the logon form by URI, with client-initiated form-based I did it by header field (Referrer), which worked ok.
I think turning of security isn't a way to go for a public application.

regards,
Philipp

michael_jenkins · Answer

I've just run into the same issue with APM+SSO and it's due to CSP (Content Security Policy). The application is sending a header that specifies where different things are allowed to be loaded from, like scripts, style sheets, fonts, and images). Newer, compliant browsers will interpret that header and depending on the settings, will disable inline javascript, which is how the APM adds if forms sso.&nbsp;
In order to fix this, you'll need to either modify the CSP directive for the application, or you can modify it through an iRule. See the following sites for more information on what CSP is and does. Unless the F5 engineers can update the APM SSO to use javascript files for the SSO stuff, this issue may become more prevalent over time with the standardization of HTML5 applications.&nbsp;
http://www.html5rocks.com/en/tutorials/security/content-security-policy/http://www.cspplayground.com/home
Hope this helps.&nbsp;

Forum Discussion

apm sso inline javascript

5 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Round-robin method not load balanced

F5 AI Roadmap

F5 object groups in AFM

F5 BGP Peering in Active /Standby Cluster

F5 rSeries || Upgrade tenant

Related Content

NGINX Plus Request body Rate Limit with the NJS module and javascript

Agentic AI with Social Engineering, JavaScript Stealer and the Silent Lynx

JavaScript Supply Chains, Magecart, and F5 XC Client-Side Defense (Demo)

Javascript injecting systems effect on web application end users - a scenario review

Javascript Insert v10+

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS