Forum Discussion

Hugo_Frauches_2's avatar
Hugo_Frauches_2
Icon for Cirrus rankCirrus
Dec 11, 2018

ASM Transparent mode blocking CORS requests

Hello community,   I would like to know if anyone have seen or had an issue with CORS (Cross-Origin Resource Sharing) and ASM, i have an problem with Javascript request that its been blocked by CO...
application delivery
ASM Advanced WAF
security
  • Alex_Nimo_26616's avatar
    Alex_Nimo_26616
    Dec 16, 2018

    Hi Hugo,

     

    Thanks for the update. I agree, this is unacceptable. Never encountered something like this with ASM and I have dealt with CORS many times before. You can play with the CORS configuration through ASM or with an irule, I think that this is what I will do.

     

Alex_Nimo_26616's avatar
Alex_Nimo_26616
Icon for Altocumulus rankAltocumulus

Stumbled upon very similar issue yesterday. When ASM is configured( simple profile ) even in transparent mode, users on mobile chrome receive CORS error on certain iframes. When ASM is disabled, everything works flawlessly. Need to verify if ASM is striping down the CORS headers...

 

rodolfosalgado_'s avatar
rodolfosalgado_
Icon for Altostratus rankAltostratus
Feb 20, 2019

After opening a ticket with the F5 they gave the following irule as solution (known bug = https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-0-1.htmlA746394-1😞

Setup an irule on a virtual server:

when HTTP_RESPONSE {
    array set header_list { }
    foreach header_name [HTTP::header names] {
        if { [string tolower $header_name] starts_with "access-control-" } {
            set header_list($header_name) [HTTP::header $header_name]
        }
    }
}
when HTTP_RESPONSE_RELEASE {
    foreach header_name [array names header_list] {
        if {!([HTTP::header exists $header_name])} {
            HTTP::header insert $header_name $header_list($header_name)
        }
    }
}