Forum Discussion
Nimbostratuscross-domain request enforcement question
CirrostratusHello Denver,
Do you have an ASM policy attached to your VS ? Or you are using LTM only ?
By default browser follows the "same-origin policy" which means that only request from same domain are authorized.
Example Mozilla : https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
To allow you browser to load CORS request, you need to add explicit headers telling the browser that you accept loading pages from different origin.
From the F5 you can add an irule that insert CORS specific Header in REQUEST/RESPONSE events
Typically you can add the following:
when HTTP_REQUEST {
set cors_origin "0"
if { [HTTP::header Origin] contains "allowed_domain" } {
set cors_origin [HTTP::header "Origin"]
}
when HTTP_RESPONSE {
if { !($cors_origin eq "0") } {
HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
}
}
This irule will tell the browser to load content from the "allowed_domain".
So you only need to apply this irule and specify which "allowed_domain" can request content from your server.
Hope it helps
Regards
