Bug ID 754109: ASM content-security-policy header modification violates Content Security Policy directive

Last Modified: Sep 06, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2

Fixed In:
15.0.0

Opened: Dec 26, 2018
Severity: 4-Minor

Symptoms

When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.

Impact

Inline JavaScript does not run. The Browser reports a content-security-policy violation.

Conditions

-- ASM provisioned. -- ASM policy attached on a virtual server. -- ASM policy has CSRF or AJAX Blocking page enabled.

Workaround

Disable csp in ASM by running the following commands: -- /usr/share/ts/bin/add_del_internal add csp_enabled 0 -- bigstart restart asm

Fix Information

ASM no longer modifies the csp header when both source-src and default-src directives are missing.

Behavior Change