Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AVR
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4
Fixed In:
12.0.0, 11.6.0 HF5
Opened: Feb 22, 2015 Severity: 3-Major
AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag.
JavaScript is unnecessarily included in HTTP responses.
This occurs when the following conditions are met. -- The page-load-time feature turned on. -- The HTTP content is not compressed. -- The HTTP content-type is text or HTML. -- The HTTP content does not contain an html <head> tag.
Use iRules. This way, CSPM can be enabled and disabled and can be controlled for particular pages. If the user can determine which URLs are fit for CSPM or by some specific content in the response, then it is possible to use iRules. In order to do so, the page-load-time feature should be turned on in the Analytics profile and an iRule should be used. See details here: https://support.f5.com/csp/article/K13859
AVR injects CSPM JavaScript only when the payload contains an HTML tag. This is correct behavior.