Bug ID 674297: Custom headers are removed on cross-origin requests

Last Modified: Oct 13, 2023

Affected Product(s):
BIG-IP FPS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Opened: Jul 17, 2017

Severity: 3-Major

Symptoms

Custom headers are removed on cross-origin requests.

Impact

The request will be blocked, FPS functionality breaks.

Conditions

A cross domain FPS request uses the FPS custom header. For example: AJAX encryption from one domain to another.

Workaround

For HOST <HOST NAME> and FPS custom header <HEADER NAME>, a variant of the following iRule can be used: when HTTP_REQUEST { if {[HTTP::method] equals "OPTIONS" && [HTTP::host] equals "<HOST NAME>"} { set modify_allowed_headers 1 } } when HTTP_RESPONSE { if { [info exists modify_allowed_headers] && $modify_allowed_headers equals "1"} { if { [HTTP::header exists "Access-Control-Allow-Headers"] } { set hdr [HTTP::header value "Access-Control-Allow-Headers"] append hdr ", <HEADER NAME>" HTTP::header replace Access-Control-Allow-Headers $hdr } } }

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips