Bug ID 746394: With ASM CORS set to 'Disabled' it strips all CORS headers in response.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2

Fixed In:
15.0.0, 14.1.2.1, 14.0.1.1

Opened: Oct 10, 2018

Severity: 3-Major

Symptoms

All access-control-* headers are removed by ASM, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS-related JavaScript errors on the browser console, and blocks cross-domain requests that should be allowed.

Impact

Any webapp that sends cross origin AJAX requests might not work.

Conditions

-- ASM provisioned. -- ASM policy attached to a virtual server. -- Backend server sends CORS headers access-control-*.

Workaround

Set up an iRule on a virtual server, for example: when HTTP_RESPONSE { array set header_list { } foreach header_name [HTTP::header names] { if { [string tolower $header_name] starts_with "access-control-" } { set header_list($header_name) [HTTP::header $header_name] } } } when HTTP_RESPONSE_RELEASE { foreach header_name [array names header_list] { if {!([HTTP::header exists $header_name])} { HTTP::header insert $header_name $header_list($header_name) } } }

Fix Information

ASM no longer removes CORS headers when the feature is set to set to 'Disabled'. This is correct behavior.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips