Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.0.0
Opened: Dec 25, 2013 Severity: 3-Major
An incorrect validation prevented CORS enforcement from being configured to only disallow credentials without any other settings.
The URL could not be saved with this configuration
Allow HTML 5 Cross-Orgin Request is enabled on a URL, and the only modification being made to the request is to disallow credentials.
If another setting (like maxmimum age) is also configured, then saving the URL would pass validation.
You can now correctly configure CORS enforcement when it is needed only to disallow credentials.