Solved: Does Apigee support filtering #,Does Apigee suppor...

saikat10 · 09-09-2019 02:12 AM

Hi @Dino-at-Google, I want to throw error when I encounter # in request uri. I have tried to implement this check using regular expression protection policy, but the policy is allowing # to pass.

Does Apigee support filtering # ? Can you suggest how it can be implemented.

Regards,

Saikat

dchiesa1

Under normal circumstances, Apigee Edge should never see a URI with a fragment identifier, aka # .

The octothorpe (hash, eg #) character is a fragment separator in a URL . It is intended for use by CLIENTS. When a browser receives a URL with a # within it, for example with a redirect / Location header, or as a result of the user clicking a link, the browser requests the URL for everything up to but not including the # , and then with the resulting content, scrolls to the anchor indicated by the part falling after the # . The server, whatever it is, never sees the # character.

But, some clients may act in contravention of the specification, and may send URIs that contain # to servers. I've never seen that, but it might be possible.

I want to throw error when I encounter # in request uri. I have tried to implement this check using regular expression protection policy, but the policy is allowing # to pass.

Can you explain how you are sending URLs that contain fragment identifiers into Apigee Edge?

View solution in original post

itravindrasingh

Hi @Saikat Das,

If you check on apigee trace you won't see (#) hashvalue is there atall. which mean before it comes to apigee it gets cleanup.

from postman

curl -X GET \
  'http://xxxxxx/regx-demo/c?t=win&s=chess#para5' \
  -H 'Accept: */*' \
  -H 'Accept-Encoding: gzip, deflate' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Host: itravindrasingh6-eval-test.apigee.net' \
  -H 'Postman-Token: 25dba6a3-034f-435e-8467-9f037f09b371,df55eabe-28be-4705-91e1-be61aeb59167' \
  -H 'User-Agent: PostmanRuntime/7.15.2' \
  -H 'cache-control: no-cache'
<br>

on apigee trace -

What is your usecase? so we can help you to find some better solution.

dchiesa1

Under normal circumstances, Apigee Edge should never see a URI with a fragment identifier, aka # .

The octothorpe (hash, eg #) character is a fragment separator in a URL . It is intended for use by CLIENTS. When a browser receives a URL with a # within it, for example with a redirect / Location header, or as a result of the user clicking a link, the browser requests the URL for everything up to but not including the # , and then with the resulting content, scrolls to the anchor indicated by the part falling after the # . The server, whatever it is, never sees the # character.

But, some clients may act in contravention of the specification, and may send URIs that contain # to servers. I've never seen that, but it might be possible.

I want to throw error when I encounter # in request uri. I have tried to implement this check using regular expression protection policy, but the policy is allowing # to pass.

Can you explain how you are sending URLs that contain fragment identifiers into Apigee Edge?

Does Apigee support filtering #,Does Apigee support # filteration in Regex expresiion policy?