Bug ID 758459: Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2

Fixed In:
15.0.0, 14.1.2.3

Opened: Feb 12, 2019
Severity: 4-Minor

Symptoms

When enabling Single Page Application (SPA) option in ASM, cross origin AJAX requests are resulting in the following error in the browser console, and site application might not work: Access to XMLHttpRequest at 'https://x.com' from origin 'https://www.y.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Impact

App does not work as expected.

Conditions

-- ASM with SPA enabled -- App is sending cross-origin requests

Workaround

Using an iRule, add the following headers to the response: -- Access-Control-Allow-Origin with originating domain. -- Access-Control-Allow-Credentials: true.

Fix Information

This release adds the relevant CORS fields to responses.

Behavior Change