Bug ID 603997: Plugin should not inject nonce to CSP header with unsafe-inline

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP FPS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1

Fixed In:
13.0.0, 12.1.1 HF2, 12.1.1 HF1

Opened: Jul 11, 2016
Severity: 2-Critical

Symptoms

When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.

Impact

The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.

Conditions

Server response contains either header from the 'Content-Security-Policy' header family.

Workaround

None.

Fix Information

CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.

Behavior Change