Bug ID 654485: An AJAX request that is processed through with a Portal Access profile may fail.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1

Opened: Mar 30, 2017
Severity: 3-Major
Related Article:
K85549136

Symptoms

Application content may not render correctly, or completely, and in some circumstances the content might produce a destination resource error message.

Impact

Web application may not work as expected.

Conditions

This issue occurs when all of the following conditions are met: -- Your BIG-IP APM system is configured with a Portal Access profile. -- A same-origin policy AJAX request is processed by the Portal Access profile. -- The server response to the same-origin policy AJAX request includes the header Access-Control-Allow-Origin that points to a different domain than the original request, or is not set for the (*) wildcard all domains, for example: Same-origin AJAX request: GET /some/file.ext HTTP/1.1 Host: http://example.com Origin: http://example.com Server response with Access-Control-Allow-Origin header: HTTP/1.1 200 OK Access-Control-Allow-Origin: http://otherdomain.com

Workaround

Use an iRule to remove the special query parameter 'F5_origin' from same-origin AJAX requests via Portal Access to disable CORS check emulation.

Fix Information

Now same-origin AJAX requests are handled correctly regardless of Access-Control-Allow-Origin response header.

Behavior Change