Workaround for CSS patching and Subresource Integrity enabled websites

Problem this snippet solves:

Subresource Integrity (SRI) is a new W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been tampered with. Websites that make use of SRI can break when CSS patching is used within APM Portal Access. This very basic snippet will simply disable SRI by removing it.

The picture below shows an example of Chrome blocking a stylesheet from being loading (Chrome DevTools -> Console).

How to use this snippet:

Assign both a STREAM profile and this iRule to the Virtual Server.

Code :

    # set STREAM::expression to match sha256, sha384 and sha512 integrity hashes.
    # integrity must at least contain 40 characters (base64 encoding of 256 bits is around 43 bytes).
    # and max integrity message must be less than 250 bytes (integrity + sha256 + sha384 + sha512 around 230 bytes).
    # credits go to Stanislas Piron for improving the STREAM::expression.
    set SRI_STREAM_EXPRESSION {@integrity="sha(256|384|512)-[^"]{40,250}"@@}

    # Disable the stream filter by default   

    # LTM does not uncompress response content, so if the server has compression enabled
    # and it cannot be disabled on the server, we can prevent the server from
    # sending a compressed response by removing the compression offerings from the client
    HTTP::header remove "Accept-Encoding"

    # Check if we're rewriting the response   
    if {[HTTP::header value Content-Type] contains "text"}{ 
        # set the STREAM::expression
        # Enable the stream filter for this response only     

Tested this on version:

Published Jun 08, 2018
Version 1.0

Was this article helpful?

1 Comment

  • ijdod's avatar
    Icon for Nimbostratus rankNimbostratus

    Just as a side note: the stream profile is under advanced settings of the virtual server.