Forum Discussion

Thomas_________'s avatar
Thomas_________
Icon for Nimbostratus rankNimbostratus
Aug 25, 2020

HTML5 Cross-Domain Reuest Enforcement not working as expected (13.1.1)

I am confused by the HTML5 Cross-Domain Reuest Enforcement. We have tested all of the modes quite extensively and analyzed the bahaviour.

 

Mode "Replace CORS headers" actually seems to remove the response headers instead of replacing them. Basically this is the behaviour I would expect with "Enforce on ASM". As it happens, if the mode is changed to "Enforce on ASM" nothing at all happens, the behaviour is identical to the mode being set to "Disabled".

 

What is happening here and what is wrong? Or is the documentation just wrong here and this is actually the expected (but wierd) behaviour? Googling on the topic gives a few results, all basically reiterating what the manual says. And the manual does not reflect what we are seeing in our tests.

 

Yes, I have rememebred to "Apply policy" between running the test cases and policy changes when testing the modes.

 

This is BIG-IP 13.1.1.4 Build 0.0.4 Point Release 4.

 

ASM Advanced WAF
security

3 Replies

Sort By
    • Ivan_Chernenkii's avatar
      Ivan_Chernenkii
      Icon for Employee rankEmployee
      Sep 01, 2020

      Hello Thomas,

       

      Please take a look at https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/17.html

      "Enforce on ASM" should trigger "Illegal cross-origin request" violation if origin in request is not defined as allowed. It shouldn't remove or modify any response headers.

      "Replace CORS headers" should replace response headers with values defined in configuration of URL. Pay attention, that to make it work you must get preflight CORS request at first.

       

      If it doesn't help, then please share config of your CORS URLs and CORS traffic (requests/responses) incl. preflight request.

       

      Thanks, Ivan

  • LB's avatar
    LB
    Icon for Cirrus rankCirrus
    Sep 02, 2020

    First off, are you updating the policy and then applying the policy?

     

    I have implemented this in my environment with success. Enforce works works with a list of explicit origins and replaces all CORS headers (you cannot remove/replace/manipulate/modify specific headers). Replace option allows you to remove/replace/manipulate/modify specific headers based on your configuration.

     

    """

    Replace CORS headers (HTTP URLs only): Replace the CORS header in the response with another header specified on the tab, including allowed origins, allowed methods, allowed headers, and so on. The browser enforces the policy.

     

    Enforce on ASM: Allow cross-origin resource sharing as configured. CORS requests are allowed from the domains specified as allowed origins. ASM enforces the policy.

    """

    https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/17.html

     

    """

    Disabled: The system does not enforce CORS headers.

    Remove all CORS headers: The system removes all CORS headers.

    Replace CORS headers: The system replaces CORS headers.

    Enforce on ASM: The system removes all CORS headers and replaces them.

    """

    "Help" tab in BIG-IP system