bug: Some headers are not supported in the response-rewrite plugin

Question

bug: Some headers are not supported in the response-rewrite plugin

leandrocostam opened this issue 3 months ago · comments

Current Behavior

I am trying to add some headers using the response-rewrite plugin in APISIXRoute CRD, but I am facing an error in the APISIX controller. The current pattern doesn't allow header value that contain multiples :. A common use case is when you have to add the Content-Security-Policy header with multiple domains using https://.

Expected Behavior

I should be able to define values for the headers using multiples :.

Error Logs

ApisixRoute Resource Events
Source: ApisixIngress


ApisixIngress synced failed, with error: 3 errors occurred: * plugin [response-rewrite] config is invalid * - headers: Must validate at least one schema (anyOf) * - headers.add.6: Does not match pattern '^[^:]+:[^:]+[^/]$'

Steps to Reproduce

Create the following APISIXRoute CRD resource in an existing Kubernetes cluster with the APISIX Ingress Controller installed:

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpbin-route
spec:
  http:
 - name: rule1
   match:
     hosts:
     - httpbin.org
     paths:
       - /*
   backends:
   - serviceName: foo
     servicePort: 8080
   plugins:
   - name: response-rewrite
     enable: true
     config:
       headers:
         add: 
           - "Content-Security-Policy: default-src 'self' 'unsafe-inline'; connect-src 'self' https://example.com; img-src 'self' data: blob:"

Deploy the resource and check the events of the ApisixRoute CRD to see the error message.

Environment

APISIX version: Apisix Ingress Controller 1.8.0
Operating system: GKE cluster running k8s 1.27

Abhishek Choudhary · Answer 1 · Wed Mar 20 2024 16:38:48 GMT+0800 (China Standard Time)

cc: @Revolyssup

Fabio Mitrano · Answer 2 · Thu May 16 2024 21:10:18 GMT+0800 (China Standard Time)

@leandrocostam We had the same issue. To avoid it you can put: "example.com" instead of "https://example.com" in Content-Security-Policy. It works in the same way

Leandro Martins · Answer 3 · Fri May 17 2024 02:38:15 GMT+0800 (China Standard Time)

@leandrocostam We had the same issue. To avoid it you can put: "example.com" instead of "https://example.com" in Content-Security-Policy. It works in the same way

Yes, that works when you don't have to restrict the load over HTTPS. It's something that we need right now 😞

Leandro Martins · Answer 4 · Fri May 17 2024 02:48:41 GMT+0800 (China Standard Time)

Also, there are cases where you can have the following CSP policy block:

img-src 'self' data: blob:

It also breaks the response-rewrite plugin

Leandro Martins · Answer 5 · Fri May 17 2024 03:20:53 GMT+0800 (China Standard Time)

We are using the headers.set as a workaround for now. By checking the code, it's a different validation and it's not breaking the plugin.