Content-Security-Policy

Thanks a lot. Looks like it would work, I like the way you used a second variable that can be used when making the decision on what to send back to the client, so nice and simple!

I'll give it a test run tomorrow, thanks for taking the time to post a response!

You are welcome. I hope it can solve your issue. After your test run tomorrow, if it works, would you mind accepting the answer?

Had to add a bit more functionality to the rule. Turned out that the site actually had other sites framed within it so this mean that the original host captured wasn't enough. We also had to return the framed site.

So using a datagroup we could make a key pair using a string and a value, for example host1.com = host2.com.

Then in the irule we capture the HTTP:host in the HTTP_REQUEST, set it as the variable $host, then look that variable up in the datagroup and return its value as the variable $value.

Then $value can be used in the HTTP_RESPONSE

when HTTP_REQUEST {
        set host [HTTP::host]

        if { [class match $host contains content-security] } {
              set host_exist 1    
              set value [class match -value "$host" equals "content-security"]
        }
    } 

    when HTTP_RESPONSE {
        if { $host_exist equals 1 } {
               HTTP::header insert "Content-Security-Policy" "frame-ancestors 'self' $value"
               HTTP::header insert "X-Content-Security-Policy" "frame-scr 'self' '$value'"
        }
        else {
               HTTP::header insert "Content-Security-Policy" "frame-ancestors 'self'"
               HTTP::header insert "X-Content-Security-Policy" "frame-scr 'self'"
        }
    }

I'm a newbie when it comes to CSP - Content Security Policy and I just need one question answered. Can you configure an iRule for CSP when SSL-offloading and ssl brdiging? I belive so, since both methods perform DPI - Deep Packet Inspection.