For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mapennell_21218's avatar
mapennell_21218
Icon for Nimbostratus rankNimbostratus
Aug 14, 2015

Way to replace HTTP header being applied by APM portals

All full webtop portals I create have this HTTP header, which I need to override. Using iRules for this is failing.

Header in question:

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' ws: wss: jar: data:;

I need to modify it to include "connect-src *"

Here's my iRule:

when HTTP_RESPONSE {

set cspstring "default-src 'self' 'unsafe-inline' 'unsafe-eval' ws: wss: jar: data:; connect-src *"

HTTP::header replace Content-Security-Policy $cspstring

}`

The header is never replaced on the VS's I apply this to. I can manipulate any other header, but this one seems to be permanent for some reason.

Any help much appreciated! Michael

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
security

5 Replies

  • mapennell_21218's avatar
    mapennell_21218
    Icon for Nimbostratus rankNimbostratus
    Aug 17, 2015
    I'm pretty convinced there's something preventing me from modifying the CSP header out of the F5. I can't find this referenced in any documentation. Definitely could use some help...
  • Jon_Bartlett_10's avatar
    Jon_Bartlett_10
    Historic F5 Account
    Aug 21, 2015

    What happens if you try removing the header instead of a replace? What version of TMOS are you running?

     

    when HTTP_RESPONSE_RELEASE {

     

    foreach header {Content-Security-Policy} {

     

    log local0. "Removing $header: [HTTP::header value $header]"

     

    HTTP::header remove $header

     

    }

     

    }

     

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus
      Mar 12, 2019

      Hi Jon Bartlett

      I came across this issue today , LTM/APM 12.1.3

      I used this iRule you mentioned and it solved the problem in chrome

      In IE edge or 10 the problem still happening

      The thing with IE is that it does not showing the error message , it is just freezing

      I tried even replacing the irule with this one :

      when HTTP_RESPONSE_RELEASE {
foreach header {X-Content-Security-Policy} 
{ log local0. "Removing $header: [HTTP::header value $header]"
HTTP::header remove $header
}
}

      Didn't help..

      If I try to open the web-application internally , without APM , it is working fine with all browsers

      What could be done here?

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 21, 2015

    The CSP header value is actually coming from APM, so there's no local response event that can catch that. The best option would be to put a VIP targeting solution in front of your APM VIP. The external VIP would be able to see and manipulate the internal APM's responses. You'd put your client SSL handling on the external VIP and the internal APM VIP would listen on HTTP. Here's what that external iRule might look like:

    when CLIENT_ACCEPTED {
    virtual internal-vip
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        HTTP::header replace Content-Security-Policy [string map {";" " connect-src *;"} [HTTP::header Content-Security-Policy]]
    }
}