Bug ID 849349: Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db.

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1

Fixed In:
16.0.0

Opened: Nov 13, 2019
Severity: 3-Major

Symptoms

Web app flow might fail resulting in JavaScript errors related to CSP policy.

Impact

Web application flow might fail.

Conditions

-- ASM provisioned. -- Bot-Defense or DoS Application profile assigned to a virtual server. -- The backend server sends CSP headers.

Workaround

Attach an iRule: when HTTP_REQUEST { set csp 0 } when HTTP_RESPONSE { if { [HTTP::header exists Content-Security-Policy] } { set csp "[HTTP::header value Content-Security-Policy]" } } when HTTP_RESPONSE_RELEASE { if { $csp != 0 } { HTTP::header replace Content-Security-Policy $csp } set csp 0 }

Fix Information

A db variable has been added to disable CSP headers modification: tmsh modify sys db botdefense.content_security_policy enable|disable It is enabled by default.

Behavior Change