The "Location" header is only set for 3xx redirects or 201/202 responses.
Unless your Origin Web server (pool member) explicitly sets a header to identify the source, you will need to record the destination host header in HTTP_REQUEST, and then use that to add the Content Security Policy.
Please note: - the following is example code to illustrate the technique and may require modification
when HTTP_REQUEST {
set my_host [HTTP::host]
}
when HTTP_RESPONSE {
if { $my_host contains "example.com" } {
Check the status to see if it is 200 ...
if {[HTTP::status] == 200} {
HTTP::header insert Content-Security-Policy ...
}
}
}
However, I would suggest doing this with caution - my opinion is that Content Security Policy is an application level setting, and should be managed by the application owner/developer. Applying a blanket CSP to an entire virtual runs the risk of impacting application behaviour in unexpected ways. You may end up building a complex irule to manage CSP options on various site URLs, which can quickly reduce reliability and maintainability.