For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DenverRB_326662's avatar
DenverRB_326662
Icon for Nimbostratus rankNimbostratus
Sep 18, 2017

cross-domain request enforcement question

cross-domain request enforcement question   I have application people that are shifting towards HTML5 which an application uses COR (cross-domain request).   I am unable to find a definitive th...
application delivery
devops
iRules
LTM
Jad_Tabbara__J1's avatar
Jad_Tabbara__J1
Icon for Cirrostratus rankCirrostratus
Sep 19, 2017

Hello Denver,

Do you have an ASM policy attached to your VS ? Or you are using LTM only ?

By default browser follows the "same-origin policy" which means that only request from same domain are authorized.

Example Mozilla : https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

To allow you browser to load CORS request, you need to add explicit headers telling the browser that you accept loading pages from different origin.

From the F5 you can add an irule that insert CORS specific Header in REQUEST/RESPONSE events

Typically you can add the following:

when HTTP_REQUEST {
        set cors_origin "0"
        if { [HTTP::header Origin] contains "allowed_domain" } {
            set cors_origin [HTTP::header "Origin"]
        }

when HTTP_RESPONSE {
    if { !($cors_origin eq "0") } {
        HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
    }
}

This irule will tell the browser to load content from the "allowed_domain".

So you only need to apply this irule and specify which "allowed_domain" can request content from your server.

Hope it helps

Regards