Forum Discussion

DenverRB_326662's avatar
DenverRB_326662
Icon for Nimbostratus rankNimbostratus
Sep 18, 2017

cross-domain request enforcement question

cross-domain request enforcement question

 

I have application people that are shifting towards HTML5 which an application uses COR (cross-domain request).

 

I am unable to find a definitive thread on my exact question. I see the forums have some that are either extremely old and point to "Page Not Found" Messages.

 

The information I found is here in these links but still do not answer my question -

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/16.html https://devcentral.f5.com/questions/adding-cors-response-headers https://devcentral.f5.com/questions/cors-irule-query

 

I cannot get a page that utilizes cross-domain request to function on the F5. Is the F5 by default stripping the headers out and removing the ability for these pages to display?

 

I see some individuals have created iRules to add in data in HTTP_REQUEST and HTTP_RESPONSE but was unsure of what was actually causing the problem. I have a basic VIP setup to load balance to the pages that utilize COR and they do not display. Is there anyone that can provide some input?

 

  • Hello Denver,

    Do you have an ASM policy attached to your VS ? Or you are using LTM only ?

    By default browser follows the "same-origin policy" which means that only request from same domain are authorized.

    Example Mozilla : https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

    To allow you browser to load CORS request, you need to add explicit headers telling the browser that you accept loading pages from different origin.

    From the F5 you can add an irule that insert CORS specific Header in REQUEST/RESPONSE events

    Typically you can add the following:

    when HTTP_REQUEST {
            set cors_origin "0"
            if { [HTTP::header Origin] contains "allowed_domain" } {
                set cors_origin [HTTP::header "Origin"]
            }
    
    when HTTP_RESPONSE {
        if { !($cors_origin eq "0") } {
            HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
        }
    }
    

    This irule will tell the browser to load content from the "allowed_domain".

    So you only need to apply this irule and specify which "allowed_domain" can request content from your server.

    Hope it helps

    Regards