Bug ID 1292645: False positive CORS violation can occur after upgrading to 17.1.x under certain conditions

Last Modified: Jul 24, 2024

Affected Product(s):
BIG-IP ASM, Install/Upgrade(all modules)

Fixed In:
17.1.1, 16.1.5

Opened: Apr 25, 2023

Severity: 3-Major

Symptoms

CORS violation can start appearing after upgrading to 17.1.x.

Impact

Requests with HTTPS protocol can get blocked with CORS violation.

Conditions

1) CORS violation is enabled. 2) CORS configuration is done with port 80 on a particular URL. 3) Request with URL from step 2 which BIG-IP receives, is of HTTPS type.

Workaround

Change configured CORS port to 443 for URLs that receive HTTPS traffic.

Fix Information

Added a new bd internal variable "cors_default_port_80" which can be used to allow HTTPS traffic with CORS port configured as 80.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips