Bug ID 551795: Portal Access: corrections to CORS support for XMLHttpRequest

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
13.0.0, 12.1.3

Opened: Oct 09, 2015
Severity: 3-Major


XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure. If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.


Web application may work incorrectly; some data access restrictions may not work.


XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header. XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.



Fix Information

Now Portal Access supports CORS in case of response redirection for XMLHttpRequest. CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.

Behavior Change