BugZero | F5 BugID 603997 - Plugin should not inject nonce to CSP header with ...

F5 - Defect ID: 603997

Plugin should not inject nonce to CSP header with unsafe-inline

F5 - Defect ID: 603997

Plugin should not inject nonce to CSP header with unsafe-inline

Last updated on January 29th, 2026

BugZero Risk Score
8.6 High

Overall: 8.6

Severity: 9.1

Community: 4.2

Lifecycle: 8.3

What is the BugZero Risk Score?

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: 2-Critical
Status: Verified
Impact Category: Access Policy Manager

Description

Symptoms

When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.

Impact

The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.

Conditions

Server response contains either header from the 'Content-Security-Policy' header family.

Workaround

None.

Fix Information

CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.

Change history

2025-04-28 Added: 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1

Top F5 Defects

9.7Defect ID: 1505789
VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"
9.6Defect ID: 2141125
Multicast traffic is dropped with incorrect VLAN tagging
9.4Defect ID: 1785385
Intermittent traffic failures when tenant is running BIG-IP v17.1.2 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0
9.4Defect ID: 2292013
Admin users cannot create or view virtual servers and other objects in non-Common partitions in TMUI
9.4Defect ID: 970269
Install fails as lind keeps failing due to "Fatal error: block id new probe failed - device file:/dev/cdrom"

Ready to prevent the next vendor outage?

Get a demo

F5 - Defect ID: 603997

Plugin should not inject nonce to CSP header with unsafe-inline

F5 - Defect ID: 603997

Plugin should not inject nonce to CSP header with unsafe-inline

Last updated on January 29th, 2026

BugZero Risk Score8.6 High

Bug Details

Symptoms

Impact

Conditions

Workaround

Fix Information

Links

Top F5 Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
8.6 High