Last Modified: Nov 02, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3
Fixed In:
17.1.1
Opened: Apr 02, 2023 Severity: 3-Major
Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.
'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.
A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions: 1) 'Illegal cross-origin request' violation is enabled. 2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value. 3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.
Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'
With the internal parameter enabled, 'Illegal cross-origin request' violation will not be reported.