Hi @Dino-at-Google, I want to throw error when I encounter # in request uri. I have tried to implement this check using regular expression protection policy, but the policy is allowing # to pass.
Does Apigee support filtering # ? Can you suggest how it can be implemented.
Regards,
Saikat
Solved! Go to Solution.
Under normal circumstances, Apigee Edge should never see a URI with a fragment identifier, aka # .
The octothorpe (hash, eg #) character is a fragment separator in a URL . It is intended for use by CLIENTS. When a browser receives a URL with a # within it, for example with a redirect / Location header, or as a result of the user clicking a link, the browser requests the URL for everything up to but not including the # , and then with the resulting content, scrolls to the anchor indicated by the part falling after the # . The server, whatever it is, never sees the # character.
But, some clients may act in contravention of the specification, and may send URIs that contain # to servers. I've never seen that, but it might be possible.
I want to throw error when I encounter # in request uri. I have tried to implement this check using regular expression protection policy, but the policy is allowing # to pass.
Can you explain how you are sending URLs that contain fragment identifiers into Apigee Edge?
Hi @Saikat Das,
If you check on apigee trace you won't see (#) hashvalue is there atall. which mean before it comes to apigee it gets cleanup.
from postman
curl -X GET \ 'http://xxxxxx/regx-demo/c?t=win&s=chess#para5' \ -H 'Accept: */*' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Cache-Control: no-cache' \ -H 'Connection: keep-alive' \ -H 'Host: itravindrasingh6-eval-test.apigee.net' \ -H 'Postman-Token: 25dba6a3-034f-435e-8467-9f037f09b371,df55eabe-28be-4705-91e1-be61aeb59167' \ -H 'User-Agent: PostmanRuntime/7.15.2' \ -H 'cache-control: no-cache' <br>
on apigee trace -
What is your usecase? so we can help you to find some better solution.
Under normal circumstances, Apigee Edge should never see a URI with a fragment identifier, aka # .
The octothorpe (hash, eg #) character is a fragment separator in a URL . It is intended for use by CLIENTS. When a browser receives a URL with a # within it, for example with a redirect / Location header, or as a result of the user clicking a link, the browser requests the URL for everything up to but not including the # , and then with the resulting content, scrolls to the anchor indicated by the part falling after the # . The server, whatever it is, never sees the # character.
But, some clients may act in contravention of the specification, and may send URIs that contain # to servers. I've never seen that, but it might be possible.
I want to throw error when I encounter # in request uri. I have tried to implement this check using regular expression protection policy, but the policy is allowing # to pass.
Can you explain how you are sending URLs that contain fragment identifiers into Apigee Edge?
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |