Bug ID 1284097: False positive 'Illegal cross-origin request' violation

Last Modified: Jun 13, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3

Fixed In:
17.1.1

Opened: Apr 02, 2023

Severity: 3-Major

Symptoms

Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.

Impact

'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.

Conditions

A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions: 1) 'Illegal cross-origin request' violation is enabled. 2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value. 3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.

Workaround

Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'

Fix Information

With the internal parameter enabled, 'Illegal cross-origin request' violation will not be reported. The internal parameter is enabled following, It is disabled by default /usr/share/ts/bin/add_del_internal add cors_match_protocol_port 1 /usr/share/ts/bin/add_del_internal add cors_default_port_80 1 tmsh restart sys service asm

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips