Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2
Fixed In:
15.0.0, 14.1.2.3, 13.1.3.4
Opened: Dec 26, 2018 Severity: 2-Critical
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.
Inline JavaScript does not run. The Browser reports a content-security-policy violation.
-- ASM provisioned. -- ASM or Bot-Defense/DoS attached on a virtual server. -- ASM or Bot/Dos does inline injections, like CSRF/CSHUI.
You can use either of the following workarounds: -- Disable csp in ASM by running the following commands: /usr/share/ts/bin/add_del_internal add csp_enabled 0 bigstart restart asm -- Disable csp in Bot/DoS using an iRule: when HTTP_REQUEST { set csp 0 } when HTTP_RESPONSE { if { [HTTP::header exists Content-Security-Policy] } { set csp "[HTTP::header values Content-Security-Policy]" } } when HTTP_RESPONSE_RELEASE { if { $csp != 0 } { HTTP::header replace Content-Security-Policy $csp } set csp 0 }
ASM/Bot/DoSL7 no longer modifies the csp header when both source-src and default-src directives are missing.