Forum Discussion

ZANOOB's avatar
ZANOOB
Icon for Cirrus rankCirrus
Aug 16, 2021

Irule for disabling CORS functionality.

Hello All,

 

Hope you all doing good. Wondering if you would have a answer for to a CORS issue.

I am trying to disable CORS for an web app that we have published and we can see it is failing to load because of CROS error.

I even tried disabling ASM policy from the virtual server , still getting the CROS error on the browser.

I am trying to figure out if the iRule for disabling CORS will work or not. However, when i create the irule mentioned in the article (https://devcentral.f5.com/s/articles/cors-implementation) I get an error on F5 .

 

Is there an issue with allowed_origins as class ,since i get the error :

01070151:3: Rule [/Common/Allowed_CROS] error: /Common/Allowed_CROS:2: error: [command is not valid in the current scope][class allowed_origins {

".example.com"

".example2.com"

".goodpartner.com"

}]

 

  1. # Domains that are allowed to make cross-domain calls to example.com
  2. class allowed_origins {
  3. ".example.com"
  4. ".example2.com"
  5. ".goodpartner.com"
  6. }
  7. when HTTP_REQUEST {
  8. unset -nocomplain cors_origin
  9. if { [class match [HTTP::header Origin] ends_with allowed_origins] } {
  10. if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } {
  11. # CORS preflight request - return response immediately
  12. HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \
  13. "Access-Control-Allow-Methods" [HTTP::header "Access-Control-Request-Method"] \
  14. "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \
  15. "Access-Control-Max-Age" "86400" \
  16. "Vary" "Origin"
  17. } else {
  18. # CORS GET/POST requests - set cors_origin variable
  19. set cors_origin [HTTP::header "Origin"]
  20. }
  21. }
  22. }
  23. when HTTP_RESPONSE {
  24. # CORS GET/POST response - check cors_origin variable set in request
  25. if { [info exists cors_origin] } {
  26. HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
  27. HTTP::header insert "Access-Control-Allow-Credentials" "true"
  28. HTTP::header insert "Vary" "Origin"
  29. }
  30. }

 

 

 

 

BIG-IP
iRules
security
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Sep 15, 2021

    you should remove this text from your irule:

     

    1. class allowed_origins {
    2. ".example.com"
    3. ".example2.com"
    4. ".goodpartner.com"
    5. }

     

     

    ^-this was an example of a datagroup called "allowed_origins" which you should create (easiest way is to do it via the F5 GUI):

     

    Local Traffic -> iRules->DataGroups and instead of ".example.com" you should put your domain (mind the first dot which is needed in this case)