For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ZANOOB's avatar
ZANOOB
Icon for Cirrus rankCirrus
Aug 16, 2021

Irule for disabling CORS functionality.

Hello All,

 

Hope you all doing good. Wondering if you would have a answer for to a CORS issue.

I am trying to disable CORS for an web app that we have published and we can see it is failing to load because of CROS error.

I even tried disabling ASM policy from the virtual server , still getting the CROS error on the browser.

I am trying to figure out if the iRule for disabling CORS will work or not. However, when i create the irule mentioned in the article (https://devcentral.f5.com/s/articles/cors-implementation) I get an error on F5 .

 

Is there an issue with allowed_origins as class ,since i get the error :

01070151:3: Rule [/Common/Allowed_CROS] error: /Common/Allowed_CROS:2: error: [command is not valid in the current scope][class allowed_origins {

".example.com"

".example2.com"

".goodpartner.com"

}]

 

  1. # Domains that are allowed to make cross-domain calls to example.com
  2. class allowed_origins {
  3. ".example.com"
  4. ".example2.com"
  5. ".goodpartner.com"
  6. }
  7. when HTTP_REQUEST {
  8. unset -nocomplain cors_origin
  9. if { [class match [HTTP::header Origin] ends_with allowed_origins] } {
  10. if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::header exists "Access-Control-Request-Method"] ) } {
  11. # CORS preflight request - return response immediately
  12. HTTP::respond 200 "Access-Control-Allow-Origin" [HTTP::header "Origin"] \
  13. "Access-Control-Allow-Methods" [HTTP::header "Access-Control-Request-Method"] \
  14. "Access-Control-Allow-Headers" [HTTP::header "Access-Control-Request-Headers"] \
  15. "Access-Control-Max-Age" "86400" \
  16. "Vary" "Origin"
  17. } else {
  18. # CORS GET/POST requests - set cors_origin variable
  19. set cors_origin [HTTP::header "Origin"]
  20. }
  21. }
  22. }
  23. when HTTP_RESPONSE {
  24. # CORS GET/POST response - check cors_origin variable set in request
  25. if { [info exists cors_origin] } {
  26. HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
  27. HTTP::header insert "Access-Control-Allow-Credentials" "true"
  28. HTTP::header insert "Vary" "Origin"
  29. }
  30. }

 

 

 

 

BIG-IP
iRules
security

1 Reply

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Sep 15, 2021

    you should remove this text from your irule:

     

    1. class allowed_origins {
    2. ".example.com"
    3. ".example2.com"
    4. ".goodpartner.com"
    5. }

     

     

    ^-this was an example of a datagroup called "allowed_origins" which you should create (easiest way is to do it via the F5 GUI):

     

    Local Traffic -> iRules->DataGroups and instead of ".example.com" you should put your domain (mind the first dot which is needed in this case)