Bug ID 1029989: CORS : default port of origin header is set 80, even when the protocol in the header is https

Last Modified: Dec 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:
16.1.4, 15.1.10

Opened: Jun 30, 2021

Severity: 3-Major


Destination port is set to 80, instead of 443, for Origin header value that has https in the schema field. This causes unexpected "Illegal cross-origin request" violation.


Unexpected "Illegal cross-origin request" violation.


- Using CORS enforcement where you allow HTTPS and port 443 for an origin name - The Origin header value has https in the schema - The Origin header value does not specify non default port number


Allow port 80 or use 'any' for the given origin name.

Fix Information

When schema in the header is https, considers port 443 instead of 80.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips