Bug ID 918093: Access-Control-Allow-Origin header with trailing white spaces causes Portal Access CORS failure.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.0.0,, 16.0.1,,

Fixed In:

Opened: Jun 16, 2020

Severity: 3-Major


'Access-Control-Allow-Origin' header value may contain trailing white spaces in very rare cases, for example: Access-Control-Allow-Origin: http://example.com \r\n In this case, Cross-Origin Resource Sharing (CORS) validation may fail if the 'Origin' header value contains the same value as that of 'Access_Control_Allow_Origin', but without trailing white spaces, for example: Origin: http://example.com\r\n If CORS validation fails, content on the browser gets blocked.


Web application content gets blocked on the browser when accessed through Portal Access.


-- 'Origin' header and 'Access-Control-Allow-Origin' header values match except for the trailing white space. -- Using Portal Access to access the resource.


Use an iRule to truncate trailing white space from 'Access-Control-Allow-Origin' headers.

Fix Information

Now, content does not get blocked if 'Origin' header and 'Access-Control-Allow-Origin' header values match except for trailing white space.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips