Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3
Fixed In:
13.1.0, 13.0.1
Opened: Mar 30, 2017 Severity: 3-Major Related Article:
K85549136
Application content may not render correctly, or completely, and in some circumstances the content might produce a destination resource error message.
Web application may not work as expected.
This issue occurs when all of the following conditions are met: -- Your BIG-IP APM system is configured with a Portal Access profile. -- A same-origin policy AJAX request is processed by the Portal Access profile. -- The server response to the same-origin policy AJAX request includes the header Access-Control-Allow-Origin that points to a different domain than the original request, or is not set for the (*) wildcard all domains, for example: Same-origin AJAX request: GET /some/file.ext HTTP/1.1 Host: http://example.com Origin: http://example.com Server response with Access-Control-Allow-Origin header: HTTP/1.1 200 OK Access-Control-Allow-Origin: http://otherdomain.com
Use an iRule to remove the special query parameter 'F5_origin' from same-origin AJAX requests via Portal Access to disable CORS check emulation.
Now same-origin AJAX requests are handled correctly regardless of Access-Control-Allow-Origin response header.