Bug ID 1284097: False positive 'Illegal cross-origin request' violation

Last Modified: Jun 13, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,, 17.1.0,,,

Fixed In:

Opened: Apr 02, 2023

Severity: 3-Major


Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.


'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.


A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions: 1) 'Illegal cross-origin request' violation is enabled. 2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value. 3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.


Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'

Fix Information

With the internal parameter enabled, 'Illegal cross-origin request' violation will not be reported. The internal parameter is enabled following, It is disabled by default /usr/share/ts/bin/add_del_internal add cors_match_protocol_port 1 /usr/share/ts/bin/add_del_internal add cors_default_port_80 1 tmsh restart sys service asm

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips