Operational Defect Database
BugZero found this defect 410 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 1284097
False positive 'Illegal cross-origin request' violation
Last update date:
5/16/2024
Affected products:
BIG-IP
BIG-IP ASM
Affected releases:
15.1.0
15.1.0.1
15.1.0.2
15.1.0.3
15.1.0.4
15.1.0.5
15.1.1
15.1.2
15.1.2.1
15.1.3
15.1.3.1
15.1.4
Fixed releases:
17.1.1
Description:
Symptoms ... Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation. ... Impact ... 'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic. ... Conditions ... A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions: 1) 'Illegal cross-origin request' violation is enabled. ... 2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value. ... 3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled. ... Fix Information ... With the internal parameter enabled, 'Illegal cross-origin request' violation will not be reported. ... Behavior Change
