Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2
Fixed In:
15.0.0, 14.1.2.3
Opened: Feb 12, 2019 Severity: 4-Minor
When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work: Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
App does not work as expected.
-- ASM with SPA enabled -- App is sending cross-origin requests
Using an iRule, add the following headers to the response: -- Access-Control-Allow-Origin with originating domain. -- Access-Control-Allow-Credentials: true.
This release adds the relevant CORS fields to responses.