Bug ID 746837: AVR JS injection can cause error on page if the JS was not injected

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP AVR(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,, 15.0.0, 15.0.1,,,,

Opened: Oct 15, 2018
Severity: 3-Major


If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header. If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces. This can lead to errors in cases where the change in response size is not supported.


White Spaces at the end of the page can cause it to be invalid for some applications.


AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions: -- The response is uncompressed. -- The context-type header is text/html. -- The response is not chunked (Context-length header exists). -- The payload does not include the HTML head tag.


To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection. For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix Information


Behavior Change