Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.1.0, 12.1.1, 12.1.2
Fixed In:
13.0.0, 12.1.3
Opened: Oct 09, 2015 Severity: 3-Major
XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure. If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.
Web application may work incorrectly; some data access restrictions may not work.
XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header. XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.
None
Now Portal Access supports CORS in case of response redirection for XMLHttpRequest. CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.