Bug ID 952509: Cross origin AJAX requests are blocked in case there is no Origin header

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.2,, 15.1.3,

Fixed In:
16.1.0,, 15.1.4,

Opened: Oct 07, 2020

Severity: 4-Minor


When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.


Request is blocked.


-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled. -- Client is using dosl7.allowed_origin option -- CORS Request is sent without an Origin header.


Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix Information

Check referrer header also when modifying CORS headers.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips