Last Modified: Jul 12, 2023
Known Affected Versions:
14.1.0, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 14.1.2, 184.108.40.206, 220.127.116.11
Opened: Feb 12, 2019 Severity: 4-Minor
When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work: Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
App does not work as expected.
-- ASM with SPA enabled -- App is sending cross-origin requests
Using an iRule, add the following headers to the response: -- Access-Control-Allow-Origin with originating domain. -- Access-Control-Allow-Credentials: true.
This release adds the relevant CORS fields to responses.