Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP FPS
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1
Fixed In:
13.0.0, 12.1.1 HF2, 12.1.1 HF1
Opened: Jul 11, 2016 Severity: 2-Critical
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.
The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.
Server response contains either header from the 'Content-Security-Policy' header family.
None.
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.