BugZero found this defect 410 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
5/16/2024
BIG-IP
BIG-IP ASM
15.1.0
15.1.0.1
15.1.0.2
15.1.0.3
15.1.0.4
15.1.0.5
15.1.1
15.1.2
15.1.2.1
15.1.3
15.1.3.1
15.1.4
17.1.1
Symptoms ... Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation. ... Impact ... 'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic. ... Conditions ... A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions: 1) 'Illegal cross-origin request' violation is enabled. ... 2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value. ... 3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled. ... Fix Information ... With the internal parameter enabled, 'Illegal cross-origin request' violation will not be reported. ... Behavior Change