Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP FPS
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1
Fixed In:
13.0.0, 12.1.1 HF2, 12.1.1 HF1
Opened: Jul 11, 2016
Severity: 2-Critical
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.
The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.
Server response contains either header from the 'Content-Security-Policy' header family.
None.
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.