Bug ID 758459: Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,

Fixed In:

Opened: Feb 12, 2019

Severity: 4-Minor


When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work: Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.


App does not work as expected.


-- ASM with SPA enabled -- App is sending cross-origin requests


Using an iRule, add the following headers to the response: -- Access-Control-Allow-Origin with originating domain. -- Access-Control-Allow-Credentials: true.

Fix Information

This release adds the relevant CORS fields to responses.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips