For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Thomas_________'s avatar
Thomas_________
Icon for Nimbostratus rankNimbostratus
Aug 25, 2020

HTML5 Cross-Domain Reuest Enforcement not working as expected (13.1.1)

I am confused by the HTML5 Cross-Domain Reuest Enforcement. We have tested all of the modes quite extensively and analyzed the bahaviour.   Mode "Replace CORS headers" actually seems to remove th...
ASM Advanced WAF
security
Thomas_________'s avatar
Thomas_________
Icon for Nimbostratus rankNimbostratus
Aug 31, 2020

Nobody has ever even tried this feature?

  • Ivan_Chernenkii's avatar
    Ivan_Chernenkii
    Icon for Employee rankEmployee
    Sep 01, 2020

    Hello Thomas,

     

    Please take a look at https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/17.html

    "Enforce on ASM" should trigger "Illegal cross-origin request" violation if origin in request is not defined as allowed. It shouldn't remove or modify any response headers.

    "Replace CORS headers" should replace response headers with values defined in configuration of URL. Pay attention, that to make it work you must get preflight CORS request at first.

     

    If it doesn't help, then please share config of your CORS URLs and CORS traffic (requests/responses) incl. preflight request.

     

    Thanks, Ivan