Last Modified: May 29, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2
Fixed In:
15.0.0, 14.1.2.1, 14.0.1.1
Opened: Oct 10, 2018 Severity: 3-Major
All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.
Any webapp that sends cross origin AJAX requests might not work.
-- ASM provisioned. -- ASM policy attached to a virtual server. -- Backend server sends CORS headers access-control-*.
Set up an iRule on a virtual server, for example: when HTTP_RESPONSE { array set header_list { } foreach header_name [HTTP::header names] { if { [string tolower $header_name] starts_with "access-control-" } { set header_list($header_name) [HTTP::header $header_name] } } } when HTTP_RESPONSE_RELEASE { foreach header_name [array names header_list] { if {!([HTTP::header exists $header_name])} { HTTP::header insert $header_name $header_list($header_name) } } }
ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.