Im sure that the ASM profile its causing this issue with the site, i made some tests and after removing the ASM profile from the virtual server there is no error from CORS in the browser. I also have searched abou this on DevCentral and found that this feature its from Proative Bot Defense, and its configured in DoS Profile, the problem is that i do not have an DoS profile on the virtual server, and its has became very diffcult to find the root cause of this.
Here iss on example of the request blocked in Google Chrome when the ASM profile its assign:
Do you guys have a clue were should i search for this strange behaviour ?
Just found out that the ASM its removing the Security Headers from response, and then causing CORS erros for the clients.
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type, *
in fact the headers are presented in HTTP_RESPONSE (APP>F5) but are removed in HTTP_RESPONSE_RELEASE (F5>CLient) by ASM.
Could this be an BUG or some feature by design? Because ASM transparent mode should not block/change anything in the request...
Thanks for the update.
I agree, this is unacceptable.
Never encountered something like this with ASM and I have dealt with CORS many times before.
You can play with the CORS configuration through ASM or with an irule, I think that this is what I will do.
Stumbled upon very similar issue yesterday.
When ASM is configured( simple profile ) even in transparent mode, users on mobile chrome receive CORS error on certain iframes.
When ASM is disabled, everything works flawlessly.
Need to verify if ASM is striping down the CORS headers...
In fact the ASM does this, the F5 support told me this its by design on ASM:
"If you do not enable cross-domain request enforcement, the system removes all cross-origin request headers and CORS is not allowed for the URL."
For me this its unacceptable, F5 ASM shouldnt do this by default, because we have an feature called "transparent mode" and this CORS protection should be disabled and allowing * (Wildcards) by default. I have requested an RFE for this.