iRule for CORS OPTIONS Header
I am working on creating an iRule that sends a 200 response when an OPTIONS header is sent. Here is the rule: when HTTP_REQUEST { if { ( [HTTP::method] equals "OPTIONS" ) } { HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" Access-Control-Allow-Methods "POST, GET, OPTIONS" Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" Access-Control-Max-Age "86400" return } } When attempting to deploy this irule to an application, I am given the following error: IRule error: Transaction on BIG-IP failed after 0 seconds: 01070151:3: Rule [/Common/CORS-Preflight] error: /Common/CORS-Preflight:4: error: [undefined procedure: Access-Control-Allow-Methods][Access-Control-Allow-Methods "POST, GET, OPTIONS"] /Common/CORS-Preflight:5: error: [undefined procedure: Access-Control-Allow-Headers][Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" ] /Common/CORS-Preflight:6: error: [undefined procedure: Access-Control-Max-Age][Access-Control-Max-Age "86400"] Can anyone help with what the syntax issue may be with this?
Access-Control-Allow-Origin iRule Strange Error
I hope somebody here can help me. I've been sitting on this issue for over 8 hours now. I'm trying to enable CORS in my loadbalancer. I created an iRule which should intercept all OPTIONS type requests (because our backend cannot handle them) and answer it with the appropriate headers: when HTTP_REQUEST { if { [HTTP::method] eq "OPTIONS" } { HTTP::respond 200 -version 1.1 \ Date "[clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S %Z"]" \ Connection "Keep-Alive" \ Keep-Alive "timeout=3, max=250" \ Access-Control-Allow-Origin "*" \ Access-Control-Allow-Methods "GET, HEAD, POST, PATCH, PUT" \ Access-Control-Allow-Headers "Accept, Authentication, Authorization, Content-Encoding, Content-Length, Content-MD5, Content-Type, If-Match, If-None-Match, X-CUST-Header1, X-CUST-Header2" \ Access-Control-Expose-Headers "Content-Encoding, Content-Length, Content-MD5, Content-Type, ETag, Location, X-CUST-Header3, X-CUST-Header4" \ Access-Control-Max-Age "3600" event HTTP_REQUEST disable } } I've tried adding "*", "[HTTP::header Origin]" and the actual origin URL to Access-Control-Allow-Origin and tested it with 4 different browsers (FF34, FF38, Opera 29 and Chrome 43). The result is always the same: if the Access-Control-Allow-Origin header would match I get an error in the developer console ("F12" in most browsers), that the header is missing. But! You can see the header in the response headers and the XHR seems to work! See screenshot: If I put some random URL into the header the developer console says that the header does not match. (Before the loadbalancer I had Apache to set the headers, that way I had no CORS error in the developer console of the browsers - but I had some other problems.) Has anybody encountered this? Firmware: 11.5.1-HF8
Problem with doubly-quoted string
This is related to this previous question I asked: https://devcentral.f5.com/questions/adding-cors-response-headers I am now having a separate problem related to a new version of sample code in that thread, which was trying to return CORS headers automatically. Here's the problem fragment: if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::host] contains "example.com"] ) and ( [HTTP::header] exists "Access-Control-Request-Method") } { HTTP::respond 200 "Access-Control-Allow-Origin" "[HTTP::header Origin]" "Access-Control-Allow-Methods" "POST, GET, OPTIONS" "Access-Control-Allow-Headers" "[HTTP::header Access-Control-Request-Headers]" "Access-Control-Max-Age" "86400" } elseif { ( [HTTP::host] contains "example.com"] ) and ( [HTTP::header] exists "Origin") } { CORS GET/POST requests - set cors_origin variable set cors_origin [HTTP::header Origin] } As you can see, each of the CORS response header names in the second line is enclosed in double-quotes, so the iRule treats them as strings. However, when I try to deploy the iRule that contains this fragment, it fails, and I'm not sure why. Could the problem be this bit: "Access-Control-Allow-Headers" "[HTTP::header Access-Control-Request-Headers]" Could the iRule think that Access-Control-Request-Headers is not a string? If so, what's the solution? Can I have a string within a string - I'm assumign this isn't valid: "Access-Control-Allow-Headers" "[HTTP::header "Access-Control-Request-Headers"]"
CORS control with ASM
Hi All, Good day. I have a few questions need your expert advice: i have a F5 NLB that host a virtual server as an reverse proxy in the web tier of my 3 tier system. My actual website hosted in my App tier using IIS 8.5, with CORS ext. installed and configured. However, recent VA scan on my system shows that my system did not restrict the CORS properly and allow "access-control-allow-origin" to any hosts. Now, i understand that F5 has an ASM module to enforce security on URLs like CORS but unfortunately my infra team did not purchase the license for this module. May i know, without ASM, does it mean the F5 will overwrite my website response header despite my IIS had restricted the origin? thank you!CORS iRule Problem
I'm having a lot of trouble setting CORS headers and I'm hoping someone with more familiarity can help me out. This is my first time working with CORS, in fact until a few days ago I had never even heard of it. After some reading, my understanding is that CORS is a way to prevent a webpage from referencing another webpage. So I have a page, we'll call it siteA, that gets some dynamic data from another webpage, siteB (both are internal pages) and my understanding is that siteB will not talk to siteA unless siteA presents a CORS header with a value of siteA.domain.com; is this even the correct interpretation of how this is supposed to work? DevCentral keeps marking as spam so I might end up posting a partial explanation