bug: Some headers are not supported in the response-rewrite plugin
leandrocostam opened this issue · comments
Current Behavior
I am trying to add some headers using the response-rewrite plugin in APISIXRoute CRD, but I am facing an error in the APISIX controller. The current pattern doesn't allow header value that contain multiples :
. A common use case is when you have to add the Content-Security-Policy
header with multiple domains using https://
.
Expected Behavior
I should be able to define values for the headers using multiples :
.
Error Logs
ApisixRoute Resource Events
Source: ApisixIngress
ApisixIngress synced failed, with error: 3 errors occurred: * plugin [response-rewrite] config is invalid * - headers: Must validate at least one schema (anyOf) * - headers.add.6: Does not match pattern '^[^:]+:[^:]+[^/]$'
Steps to Reproduce
- Create the following APISIXRoute CRD resource in an existing Kubernetes cluster with the APISIX Ingress Controller installed:
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
spec:
http:
- name: rule1
match:
hosts:
- httpbin.org
paths:
- /*
backends:
- serviceName: foo
servicePort: 8080
plugins:
- name: response-rewrite
enable: true
config:
headers:
add:
- "Content-Security-Policy: default-src 'self' 'unsafe-inline'; connect-src 'self' https://example.com; img-src 'self' data: blob:"
- Deploy the resource and check the events of the ApisixRoute CRD to see the error message.
Environment
- APISIX version: Apisix Ingress Controller 1.8.0
- Operating system: GKE cluster running k8s 1.27
cc: @Revolyssup
@leandrocostam We had the same issue. To avoid it you can put: "example.com" instead of "https://example.com" in Content-Security-Policy. It works in the same way
@leandrocostam We had the same issue. To avoid it you can put: "example.com" instead of "https://example.com" in Content-Security-Policy. It works in the same way
Yes, that works when you don't have to restrict the load over HTTPS. It's something that we need right now 😞
Also, there are cases where you can have the following CSP policy block:
img-src 'self' data: blob:
It also breaks the response-rewrite plugin
We are using the headers.set
as a workaround for now. By checking the code, it's a different validation and it's not breaking the plugin.