Symptoms

In certain configurations, an HTTP request containing an HTTPS origin header may be blocked due to an 'Illegal cross-origin request' violation.

Impact

An 'Illegal cross-origin request' violation is reported in version 17.1.x, unlike in version 16.1.x, with the same configurations and traffic.

Conditions

A request sent to a virtual server on an HTTP port (or any port other than 443) with an origin header set to HTTPS will trigger a violation under the following conditions: 1. The 'Illegal cross-origin request' violation is enabled. 2. In Security > Application Security > Security Policies > Policies List, click Create. Add a policy name (for example, Auto_Security_Policy_Services) and click Save. Then, on the Policies List page, click the created policy name and go to HTTP Message Protection > Headers > Host Names. This issue occurs when the host name is configured with the origin header value specified in this path. 3. The URL where the request is sent has 'Enforce on ASM' enabled in the 'HTML5 Cross-Domain Request' configuration area.

Workaround

Add the HTTPS protocol and origin name to the required URL in the 'Allowed Origins' setting, located under 'HTML5 Cross-Domain Request'.

Fix Information

With the internal parameter enabled, an 'Illegal cross-origin request' violation will not be reported. By default, the internal parameter is disabled. However, it can be enabled using the following commands: /usr/share/ts/bin/add_del_internal add cors_match_protocol_port 1 /usr/share/ts/bin/add_del_internal add cors_default_port_80 1 tmsh restart sys service asm This enables the parameter and restarts the ASM service to apply the changes.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips