Forum Discussion

Hugo_Frauches_2's avatar
Hugo_Frauches_2
Icon for Cirrus rankCirrus
Dec 11, 2018

ASM Transparent mode blocking CORS requests

Hello community,   I would like to know if anyone have seen or had an issue with CORS (Cross-Origin Resource Sharing) and ASM, i have an problem with Javascript request that its been blocked by CO...
application delivery
ASM Advanced WAF
security
  • Alex_Nimo_26616's avatar
    Alex_Nimo_26616
    Dec 16, 2018

    Hi Hugo,

     

    Thanks for the update. I agree, this is unacceptable. Never encountered something like this with ASM and I have dealt with CORS many times before. You can play with the CORS configuration through ASM or with an irule, I think that this is what I will do.

     

Hugo_Frauches_2's avatar
Hugo_Frauches_2
Icon for Cirrus rankCirrus
Dec 12, 2018

Just found out that the ASM its removing the Security Headers from response, and then causing CORS erros for the clients.

Removed Headers:

Access-Control-Allow-Origin: https://www.app.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type, *

in fact the headers are presented in HTTP_RESPONSE (APP>F5) but are removed in HTTP_RESPONSE_RELEASE (F5>CLient) by ASM.

Could this be an BUG or some feature by design? Because ASM transparent mode should not block/change anything in the request...