Forum Discussion

Christy_Love's avatar
Christy_Love
Icon for Nimbostratus rankNimbostratus
Jul 29, 2020

CORS Reponse Headers-403 Forbidden

I am working with our DBA/Applications teams to assist with a CORS related issue.

 

In an attempt to resolve the issues I have written several iRules to insert a HTTP response header, none of which work.

 

I have focused on one particular iRule, taken form a related DevCentral article posted in 2015.

https://devcentral.f5.com/s/question/0D51T00006i7azP/adding-cors-response-headers

 

Has anyone had any success with this and can you share the iRule written?

 

Below is the latest iRule I have written and applied to the F5 front-end:

 

*****************************************************************************************************************

 

when HTTP_REQUEST {

    set debug 0

   set Origin ""

if {[HTTP::header exists "X-tls-debug"]} {

       set debug 1

   }

if {$debug} {  

       set prefix "\[[TCP::client_port].[expr {int (rand() * 100000)}]\] "

   }

  if {[HTTP::header exists Origin]} {    

       if {$debug} {log local0. "${prefix} Origin:[HTTP::header Origin]"}

       switch -glob -- [HTTP::header Origin] {

           "*company1.com" -

           "*company2.com" -

{

              [HTTP::method] {

                   "OPTIONS" {

                       if {$debug} {log local0. "${prefix} Responding to Preflight request"}

                       HTTP::respond 403 forbidden Allow "GET,HEAD,POST,OPTIONS" \

                                                   Access-Control-Allow-Origin "[HTTP::header Origin]" \

                                                   Access-Control-Allow-Methods "GET,POST" \

                                                   Access-Control-Max-Age "86400"

                       return

                   }

                   "GET" -

                   "POST" {

                       if {$debug} {log local0. "${prefix} Origin:[HTTP::header Origin]"}

set Origin [HTTP::header Origin]

                   }

               }

           }

            {

               if {[HTTP::method] eq "OPTIONS"} {

                   if {$debug} {log local0. "${prefix} Responding to OPTIONS method"}

                   HTTP::respond 403 forbidden Allow "GET,POST,HEAD,OPTIONS"

                   return

               }

           }

       }

   }  

}

when HTTP_RESPONSE {

 

   if {$Origin ne ""} {

HTTP::header insert "Access-Control-Allow-Origin" $Origin

      HTTP::header insert "Access-Control-Allow-Methods" "GET,POST"

      HTTP::header insert "Access-Control-Max-Age" "86400"

      HTTP::header insert "Allow" "GET,HEAD,POST,OPTIONS"

   }

   HTTP::header insert "Vary" "Origin"

}

No RepliesBe the first to reply