Last Modified: May 17, 2025
Affected Product(s):
BIG-IP AVR
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5
Fixed In:
12.0.0, 11.6.0 HF6
Opened: Apr 17, 2015 Severity: 3-Major
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header. If the response contains no <html> tag, AVR will "change its mind" and won't inject the JavaScript, causing the client to wait for the missing bytes until timeout.
Client waits many seconds until timeout.
Page-load-time is enabled in the AVR profile,
None
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header. If no <html> tag is found in the response, the system now injects empty spaces to fill in the missing bytes in order to prevent the client from timing out.