Last Modified: May 29, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1
Fixed In:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
Opened: Oct 07, 2020 Severity: 4-Minor
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.
Request is blocked.
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled. -- Client is using dosl7.allowed_origin option -- CORS Request is sent without an Origin header.
Use an iRule to add the Origin header according to the domain in the Referrer header.
Check referrer header also when modifying CORS headers.