Using ASM and CSRF with Angular

I'm not familiar with Angular so I will only be of limited help here. From the way I understand it, Angular is not either running the JS itself(as a client) or passing the JS onto the end-user. If there is no way for Angular to execute the JS as a client or if there is no way to pass the JS through to the client(and have Angular pass the complete responses back to ASM), then Angular is likely not compatible with ASM's CSRF protection mechanism as-is. From my limited understanding, it seems that you likely have 3 options: 1. Find out a way to execute the appropriate JS through Angular either with Angular as the client or passing it through.

 

2. Use Angular's XSRF built-in protection and not use ASM's CSRF protection.

 

3. Use iRules to insert a cookie into the client-side responses that Angular could potentially understand, but the issue here is that if Angular doesn't allow the JS to get executed (either in Angular or on the client), I don't know how the iRule would know what value to insert. In addition, if the links are not appended with the appropriate query string by Angular, the iRule would have to use the incoming request header to rebuild all the links when they are requested, assuming the header existed.

 

The iRules events that might be useful here are: HTTP_RESPONSE_RELEASE

 

Description

 

An iRule event triggered when the system is about to release HTTP data on the clientside of the connection. This event is triggered after modules process the HTTP response

 

https://clouddocs.f5.com/api/irules/HTTP-RESPONSE-RELEASE.html HTTP_REQUEST

 

Description

 

An iRule event triggered when the system fully parses the complete client HTTP request headers (that is, the method, URI, version, and all headers, not including the HTTP request body).

 

https://clouddocs.f5.com/api/irules/HTTP_REQUEST.html