ASM Transparent mode blocking CORS requests

Hello Alex,

In fact the ASM does this, the F5 support told me this its by design on ASM:

"If you do not enable cross-domain request enforcement, the system removes all cross-origin request headers and CORS is not allowed for the URL."

For me this its unacceptable, F5 ASM shouldnt do this by default, because we have an feature called "transparent mode" and this CORS protection should be disabled and allowing * (Wildcards) by default. I have requested an RFE for this.

I just had the same problem in my F5 BIG IP ASM 14.1.0.1. If I remove the WAF everything works flawless, I would expect at least the WAF in transparent mode to work but that isn't the case either...

After opening a ticket with the F5 they gave the following irule as solution (known bug = https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-0-1.htmlA746394-1😞

Setup an irule on a virtual server:

when HTTP_RESPONSE {
    array set header_list { }
    foreach header_name [HTTP::header names] {
        if { [string tolower $header_name] starts_with "access-control-" } {
            set header_list($header_name) [HTTP::header $header_name]
        }
    }
}
when HTTP_RESPONSE_RELEASE {
    foreach header_name [array names header_list] {
        if {!([HTTP::header exists $header_name])} {
            HTTP::header insert $header_name $header_list($header_name)
        }
    }
}

Thanks for the update!