Bug ID 746394: With ASM CORS set to 'Disabled' it strips all CORS headers in response.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0,,,,,, 14.0.1, 14.1.0,,,,,, 14.1.2

Fixed In:

Opened: Oct 10, 2018

Severity: 3-Major


All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.


Any webapp that sends cross origin AJAX requests might not work.


-- ASM provisioned. -- ASM policy attached to a virtual server. -- Backend server sends CORS headers access-control-*.


Set up an iRule on a virtual server, for example: when HTTP_RESPONSE { array set header_list { } foreach header_name [HTTP::header names] { if { [string tolower $header_name] starts_with "access-control-" } { set header_list($header_name) [HTTP::header $header_name] } } } when HTTP_RESPONSE_RELEASE { foreach header_name [array names header_list] { if {!([HTTP::header exists $header_name])} { HTTP::header insert $header_name $header_list($header_name) } } }

Fix Information

ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips