SEC7111 HTTP Security Compromised Generated by a JavaScript.

I think it's nice to have an approved answer. All of the credits to go RossVermette who wrote the following iRule that solved the problem completely:

when HTTP_RESPONSE {
  if { HTTP::header value Content-Type] contains "application/json"} {
    STREAM::expression "@http://@https://@"
    STREAM::enable
  }
}

Hey RossVermette!

This worked flawlessly! You should post this as an answer so I can give you the "Accepted Answer"

Correct, just apply the "default" stream profile to the existing vs, and add the iRule.

Thanks to your both! I'll try that during my next troubleshooting session. I tried a stream profile before but it ended up bricking the site. This should be more specific to the json object and perhaps work better.

I'll just apply an empty Stream profile right?

You could try the following: Apply a "stream" profile to your existing vs, and apply the following irule:

when HTTP_RESPONSE {
  if { HTTP::header value Content-Type] contains "application/json"} {
    STREAM::expression "@http://@https://@"
    STREAM::enable
  }
}

Hi Philip,

A bit of an alternative approach here could be to insert this HTTP header:

Content-Security-Policy: upgrade-insecure-requests;

This should make your browser automatically rewrite any insecurely served content to HTTPS.

More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

Presumably you have HSTS set and the browser is puking because you're aiming it at http. Is it possible to change the link on the server side? If not then use an iRule that looks purely for that URL ( the page URL, not the Javascript one ) and apply a stream profile only at that point.

pseudocode would be:

when HTTP_REQUEST
    if URI is in datagroup then set $stream = 1
when HTTP_RESPONSE
    if $stream = 1 then apply stream profile

Hey Ross

Absolutely, here you go 🙂

Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
        Request Version: HTTP/1.1
        Status Code: 200
        Response Phrase: OK
    Cache-Control: private, max-age=0\r\n
    Content-Type: application/json; charset=utf-8\r\n
    Server: Microsoft-IIS/7.5\r\n
    X-AspNet-Version: 4.0.30319\r\n
    X-Powered-By: ASP.NET\r\n
    Date: Wed, 12 Sep 2018 11:49:40 GMT\r\n
    Content-Length: 337\r\n
        [Content length: 337]
    \r\n
    [HTTP response 1/1]
    File Data: 337 bytes

Can you provide the HTTP Header from your "trace", I'm interested in the Content-Type value.

We're running 12.1.2 HF1. Do you mean using a Rewrite Profile?

Since we are using HTTP on the back-end I did a packet capture to see the traffic from the back-end server and I actually found where the link will appear. It's inside a JSON object as a key value. We must be able to change this using an iRule of some sort. Perhaps I was too general with my Stream Profile and need to translate the address together with the URI it might work better. Here is the output from the packet capture:

Do you have an idea on how we can best rewrite this URL inside the JSON object?