User-Agent Client Hints - Deny Rule False Positives mit Chrome 84

Google Chrome Version 84 implements the W3C Community Group draft report User-Agent Client Hints [1] defining new HTTP request headers with name prefix Sec-CH-UA. These headers contain user agent information and enable developers to perform agent-based content negotiation. Some of these headers are blocked by Airlock WAF when the strict or legacy deny rule security level is enforced on a mapping. Affected users will no longer be able to access any web resource protected by these mappings.

The following Chrome versions are affected:

• Chrome Version 84. Beta version is released, stable version planned for July 2020 [2]
• Newer Chrome versions (e. g. Version 83) with enabled "Experimental Web Platform features"

Example header which will be blocked:

Affected Deny Rules

• Strict Rule: (default SQL_050b) Condition elimination in unquoted context in HTTP header value
• Legacy Rule: (default 18) Cross-site scripting rule for header values

Please note that the affected legacy deny rule set is deprecated, no longer maintained and should be migrated to the new rule sets. Nevertheless the hotfix mentioned below will also fix the legacy rule set. We highly recommend to migrate legacy rules because they are outdated and will be removed in the next major version 8.0.

For testing purposes, "Experimental Web Platform features" can be enabled in "about://flags" in Chrome 83 to reproduce the problem.

Solution

Hotfixes to modify the affected Deny Rules are available for all supported releases [3].

Workaround

As a workaround, the following Apache Expert Settings can be set globally to remove the affected headers from any request:

[1] https://wicg.github.io/ua-client-hints/
[2] https://www.chromestatus.com/features/schedule
[3] https://techzone.ergon.ch/lifecycle