Bug ID 952509: Cross origin AJAX requests are blocked in case there is no Origin header

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1

Fixed In:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4

Opened: Oct 07, 2020

Severity: 4-Minor

Symptoms

When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.

Impact

Request is blocked.

Conditions

-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled. -- Client is using dosl7.allowed_origin option -- CORS Request is sent without an Origin header.

Workaround

Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix Information

Check referrer header also when modifying CORS headers.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips