Bug ID 551795: Portal Access: corrections to CORS support for XMLHttpRequest

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
13.0.0, 12.1.3

Opened: Oct 09, 2015
Severity: 3-Major

Symptoms

XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure. If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.

Impact

Web application may work incorrectly; some data access restrictions may not work.

Conditions

XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header. XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.

Workaround

None

Fix Information

Now Portal Access supports CORS in case of response redirection for XMLHttpRequest. CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.

Behavior Change