search cancel

Content Security Policy violations in browsers when using an origin-*-redirect authentication mode

book

Article ID: 173730

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Content Security Policy is a security mechanism which is used to help prevent XSS (cross-site scripting) attacks for web pages loaded by your browser. The mechanism defines the header Content-Security-Policy and is provided in the response packet by the server. It contains several directives which indicate what origins specific content can be loaded from.

If this header is presented by the server and we redirect content to a virtual URL (origin-*-redirect auth mode), the browser will generate Content Security Violation errors and some content will not load on the page since our virtual URL is not defined in the CSP directives of the header.

More information on CSP directives can be found https://www.w3.org/TR/CSP/#csp-directives

 

A similar issue is presented when trying to authenticate CORS requests. Please see TECH246208 for a solution to CORS violation errors.

Resolution

CSP does not provide security over-the-wire, the header can be modified or removed entirely without issue. The solutions below are provided as CPL code and can be added in a CPL Layer in the Visual Policy Manager.

  1. The simplest solution is to remove the header from response packets. Please note that this downgrades security while accessing web pages in the sense that client side XSS may be possible.

    <proxy>
        action.delete_csp_header(yes)

    define action delete_csp_header
        delete(response.x_header.Content-Security-Policy)
    end
  1. In order to not remove the header entirely, it is possible to use CPL code to add a virtual url to CSP directives. The below CPL code uses an example URL of https://virtual.url:4433. Replace this string with thje custom URL

<proxy>
    action.add_virtual_url_to_csp(yes)

define action add_virtual_url_to_csp
    iterate(response.x_header.Content-Security-Policy)
        iterator.regex="script-src" iterator.rewrite("(.*)script-src(.*)", "$(1)script-src https://virtual.url:4433$(2)")
    end
    iterate(response.x_header.Content-Security-Policy)
         iterator.regex="connect-src" iterator.rewrite("(.*)connect-src(.*)", "$(1)connect-src https://virtual.url:4433$(2)")
    end
    iterate(response.x_header.Content-Security-Policy)
          iterator.regex="img-src" iterator.rewrite("(.*)img-src(.*)", "$(1)img-src https://virtual.url:4433$(2)")
    end
    iterate(response.x_header.Content-Security-Policy)
          iterator.regex="style-src" iterator.rewrite("(.*)style-src(.*)", "$(1)style-src https://virtual.url:4433$(2)")
    end
end

Note: Only a few common CSP directives have been included here. If errors for additional directives are seen, they can be added to the CPL code by adding additional blocks in the format:

    iterate(response.x_header.Content-Security-Policy)
          iterator.regex="directive-name" iterator.rewrite("(.*)directive-name(.*)", "$(1)directive-name virtualurl$(2)")
    end