GUI : Content Security Policy violation

[PhilLaCiotat]

Because using a WAF in front of EJBCA service then domain name change and when I try on the GUI to edit a RA profile (and only from this form) I got this browser console CPS error :
Refused to send form data to 'https://pki-admin.test.gemalto.com:8443/ejbca/adminweb/ra/editendentityprofiles/editendentityprofiles.xhtml' because it violates the following Content Security Policy directive: "form-action 'self'".
So I tried to put in ejbca/conf a web.properties file containing :
web.header.content_security_policy=default-src 'none'; style-src 'none' 'unsafe-inline'; script-src 'none' 'unsafe-inline' 'unsafe-eval'; img-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'; form-action 'none'

But error is still there...
What can I do..?

[PhilLaCiotat]

Trying with * instead of none, but same behaviour : not taken in account...
web.header.content_security_policy=default-src ''; style-src '' 'unsafe-inline'; script-src '' 'unsafe-inline' 'unsafe-eval'; img-src ''; frame-src ''; font-src ''; connect-src ''; form-action ''
=>
editendentityprofiles.xhtml:1 Refused to send form data to 'https://pki-admin.test.gemalto.com:8443/ejbca/adminweb/ra/editendentityprofiles/editendentityprofiles.xhtml' because it violates the following Content Security Policy directive: "form-action 'self'".

Is this file or parameters embedded in ear file or located in another place ?

[primetomas]

A WAF should not force the application behind it to loosen security configuration should it? There's good reason for using "self".
https://content-security-policy.com/form-action/

You can easily check when EJBCA responds with using your browser, when accessing it directly. When changing web.properties you have to rebuild and redeploy.

[PhilLaCiotat]

Hello Tomas, thanks for your quick feedback,
You are right, lower security in EJBCA is not our target, it was just to test
But now the root cause is :
Is it possible to configure an "external" url for GUI which will be used inside to target the reverse proxy in front of EJBCA application
Meaning click buttons will target extern-gwaf url, and not local internal-ejbca application...?
It already exist in other components like keycloak for example...
Thanks,

[PhilLaCiotat]

Again (only on some GUI admin buttons) :
My configuration is : brower=> gwaf (pki-admin:8443) => kong => pki-ca:8444 (ejbca internal k8s service)

=> 'https://pki-admin.test.gemalto.com:8443/ejbca/adminweb/ra/editendentityprofiles/editendentityprofiles.xhtml' : REFUSED

Disabling "form-action 'self'" CSP
=> https://pki-ca:8444/ejbca/adminweb/ra/editendentityprofiles/endentityprofilepage.xhtml?id=630003694 : not reachable from brower

Please tell me how to do this configuration working..

[primetomas]

Sorry, this integration exceeds my expertise and what I am able to do on a voluntary basis. I know some of my colleagues in professional services are working with customer's WAF environments.