Symptoms
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.
Impact
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.
Conditions
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.
Workaround
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:
1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0
2. Restart ASM by running the following command:
bigstart restart asm
Fix Information
ASM 'Content-Security-Policy' header parser no longer modifies the 'Content-Security-Policy' header when there is 'script-src' 'unsafe-inline' directive arriving from a backend server. This is correct behavior.
