Bug ID 952509: Cross origin AJAX requests are blocked in case there is no Origin header

Last Modified: May 07, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3

Opened: Oct 07, 2020
Severity: 4-Minor

Symptoms

When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.

Impact

Request is blocked.

Conditions

-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled. -- Client is using dosl7.allowed_origin option -- CORS Request is sent without an Origin header.

Workaround

Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix Information

None

Behavior Change