Bug ID 746394: With ASM CORS set to 'Disabled' it strips all CORS headers in response.

Last Modified: Jun 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6

Fixed In:
15.0.0

Opened: Oct 10, 2018
Severity: 3-Major

Symptoms

All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.

Impact

Any webapp that sends cross origin AJAX requests might not work.

Conditions

-- ASM provisioned. -- ASM policy attached to a virtual server. -- Backend server sends CORS headers access-control-*.

Workaround

Set up an iRule on a virtual server, for example: when HTTP_RESPONSE { array set header_list { } foreach header_name [HTTP::header names] { if { [string tolower $header_name] starts_with "access-control-" } { set header_list($header_name) [HTTP::header $header_name] } } } when HTTP_RESPONSE_RELEASE { foreach header_name [array names header_list] { if {!([HTTP::header exists $header_name])} { HTTP::header insert $header_name $header_list($header_name) } } }

Fix Information

ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.

Behavior Change