Bug ID 838709: Enabling DoS stats also enables page-load-time

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP AVR(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,, 15.0.0, 15.0.1,,, 15.1.0,

Fixed In:

Opened: Oct 15, 2019

Severity: 2-Critical


If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.


In addition to collecting DoS statistics, JavaScript injection also occurs.


Security :: reporting : settings : collect-all-dos-statistic is enabled.


Can use iRules to control which pages should get the JavaScript injection. For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix Information

Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips