Bug ID 450468: Non-rewritten URLs may be available to user while script is running

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.1

Fixed In:
12.0.0

Opened: Feb 27, 2014
Severity: 3-Major
Related AskF5 Article:
K44757617

Symptoms

While any JavaScript code is executed, all rewritten URLs on the HTML page are demangled into original form. This operation is done by a separate script. Browsers unlock user interface at switching from one script to another. This switching may be long enough to view non-rewritten URLs from the user interface especially if the script to be executed is not in the browser cache.

Impact

User may use non-rewritten URLs and bypass the BIG-IP system connecting to them.

Conditions

HTML page with long external scripts which may be downloaded slowly.

Workaround

This issue has no workaround at this time.

Fix Information

Now in all modern browsers (Chrome, Safari, FF20+ and IE10+) URLs are not converted explicitly between rewritten and non-rewritten forms during script execution. Implicit conversion function is used instead. This does not allow to use non-rewritten URLs from user interface.

Behavior Change