Bug ID 744186

Bug Tracker
ID 744186

Bug ID 744186: JavaScript injection interferes with X-UA-Compatible meta http-equiv tag

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Opened: Sep 15, 2018

Severity: 4-Minor

Symptoms

Enabling any JavaScript injection interferes with <meta http-equiv="X-UA-Compatible" content="..."> when it is included in the HTML response from the back-end server.

Impact

The impact is that pages loaded in Internet Explorer may be loaded in compatibility mode instead of following the X-UA-Compatible header.

Conditions

-- The back-end web server uses <meta http-equiv="X-UA-Compatible" content="..."> header in the HTML and relies on it for displaying Internet Explorer content. -- Users using Internet Explorer to access the Virtual Server -- JavaScript injection is enabled from any of the ASM features, such as: DoS Profile: Single Page Application Bot Defense Profile: Single Page Application, Verify After Access, Generate After Access ASM Policy: CSRF, AJAX Blocking Page, Web Scraping - Bot Detection

Workaround

For injections coming from DoS or Bot Defense: Modify the DB variable which controls the location of the injection: -- tmsh modify sys db dosl7.parse_html_inject_tags value before,script,before,/head,before,body This will cause the script to be injected after the first <script> tag, or before the </head> tag, which ever comes first on the response HTML. For injections coming from the ASM Policy: -- /usr/share/ts/bin/add_del_internal add smart_inject 1 -- bigstart restart asm This will cause the JavaScript to be injected after the X-UA-Compatible header, if such header exists on the response HTML.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips