Bug ID 654485: An AJAX request that is processed through with a Portal Access profile may fail.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1

Opened: Mar 30, 2017

Severity: 3-Major

Related Article: K85549136


Application content may not render correctly, or completely, and in some circumstances the content might produce a destination resource error message.


Web application may not work as expected.


This issue occurs when all of the following conditions are met: -- Your BIG-IP APM system is configured with a Portal Access profile. -- A same-origin policy AJAX request is processed by the Portal Access profile. -- The server response to the same-origin policy AJAX request includes the header Access-Control-Allow-Origin that points to a different domain than the original request, or is not set for the (*) wildcard all domains, for example: Same-origin AJAX request: GET /some/file.ext HTTP/1.1 Host: http://example.com Origin: http://example.com Server response with Access-Control-Allow-Origin header: HTTP/1.1 200 OK Access-Control-Allow-Origin: http://otherdomain.com


Use an iRule to remove the special query parameter 'F5_origin' from same-origin AJAX requests via Portal Access to disable CORS check emulation.

Fix Information

Now same-origin AJAX requests are handled correctly regardless of Access-Control-Allow-Origin response header.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips