Our company has issued a requirement for all applications to enable CSP (Content Security Policy). The problem is one of the first applications to enable this has Bot Defense enabled. Part of PBD i...
Has anyone come across this and what methods did you employ to resolve it, i.e. iRule or Traffic policy to set the nonce key on the JS, which is not super ideal?
I am running into the same issue here.
Have just tested this but the issue is that ASM sets the script tags in the http payload after the HTTP_RESPONSE_DATA event, this is the last moment we can manipulate the payload. So we are never able to manipulate the script tags ourself to add the nonce value.
UPDATE:
I have created an irule that works for me. It uses a HTML profile with a rule that triggers on seeing a script tag in the HTML. When using this profile you get access to the HTML_TAG_MATCHED even in the irule.
The irule then takes the nonce value from the content security profile an adds it (if missing) to the script tags.
# IRule to get the nonce value of a CSP header and put it in the HTML script tags
# This is needed for the JavaScript that is injected by an ASM Bot Defence profile
# Make sure to put a HTML profile on the virtual server that triggers an
# event when it detects a script-tag in the HTML.
when HTTP_RESPONSE {
# Check if the response header contains a CSP
if {[HTTP::header exists "Content-Security-Policy"]} {
# Get the CSP header value
set csp [HTTP::header value "Content-Security-Policy"]
# Check if the CSP contains a nonce
if {[string first "nonce-" $csp] != -1} {
# Get the nonce value
set idx [string first "nonce-" $csp]
set nonce [string trim [string range $csp $idx end-3] "nonce-"]
}
}
}
# Event if the HTML profile rule is triggered
when HTML_TAG_MATCHED {
# Check if nonce value allready exists, if not add it
if {not [HTML::tag attribute exists "nonce"]} {
HTML::tag attribute insert "nonce" $nonce
}
}
This is the HTML Profile event rule i created, you link this to a HTML profile then you add it in your virtual server config.