Manual Chapter : Setting Up Cross-Domain Request Enforcement

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About cross-domain request enforcement

Cross-Origin Resource Sharing (CORS) is an HTML5 feature that enables one website to access the resources of another website using JavaScript within the browser. On occasion, your web application might need to share resources with another external website that is hosted on a different domain. Using Application Security Manager, you can safely allow CORS by specifying the conditions that state when a foreign web application is allowed to access your web application, after making a cross-domain request. This feature is called cross-domain request enforcement.

You enable cross-domain request enforcement as part of the Allowed URL properties within a security policy. Then you can specify which domains can access the response generated by requesting this URL (the “resource”), and also configure how to overwrite CORS response headers that are returned by the web server.

This feature does not affect internal redirection, which is always allowed. For example, Location: /anotherpage/onthisserver/internal_redirect.php would be allowed even if cross-domain request enforcement is enabled on the system.

Setting up cross-domain request enforcement

For this task, you must have already created a URL in a security policy.
If you want to allow one website to access the resources of another website, you can add cross-domain request enforcement to an existing URL.
  1. On the Main tab, click Security > Application Security > URLs. The Allowed URLs screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. In the Allowed URLs List, click the name of the URL you want to modify. The Allowed URL Properties screen opens.
  4. From the Allowed URL Properties list, select Advanced.
  5. Select the HTML5 Cross-Domain Request Enforcement check box. The screen now includes an additional tab in the next area.
  6. On the HTML5 Cross-Domain Request Enforcement tab, select the Allow HTML5 Cross-Origin Requests check box. The tab now includes additional settings where you define which domains can access the response generated by a request to this URL, and how to overwrite CORS response headers returned by the web server.
  7. In the Allowed Origins setting, add the origins that are allowed to share data returned by this URL. If you select Unmodified, the system leaves the response header as set by the server. If you select Replace with, specify the origin names:
    1. For Protocol, select the appropriate protocol for the allowed origin.
    2. For Origin Name, type the domain name or IP address that you want to allow to share your data with. Wildcards are allowed in the names. For example: *.f5.com will match b.f5.com; however it will not match a.b.f5.com.
    3. For Port, select the port that other web applications can use to request data from your web application, or use the * wildcard for all ports.
    4. If you want to allow sub-domains to receive data, select the Include Sub-Domains check box.
    5. Click Add to add the origins. The origins that can share data with the URL are included in the list.
  8. For Allowed Methods, specify which methods other applications may use when requesting this URL from another domain. Move the methods to allow from the Available Methods to the Allowed Methods list.
    Important: Any method you allow here must also be in the Allowed Methods list in the security policy (Security > Application Security > Headers > Methods).
  9. For Allowed Headers, type the headers to allow other applications to use when requesting this URL from another domain. Allowed headers are request headers sent by clients. For example, to allow clients to send Ajax requests, type X-Requested-With, and to allow XML requests, type Content-Type.
  10. For Exposed Headers, specify the headers that can be exposed in JavaScript and shared with other applications to use when requesting this URL from another domain. Exposed headers are the headers returned by the server in the response. For example, To discover server side web application technology, type X-Powered-By.
  11. For Allow Credentials, specify whether requests from applications in another domains can include user credentials.
  12. For Maximum Age, specify the number of seconds that the results of a preflight request can be cached or use the default.
  13. Click Update.
  14. To put the security policy changes into effect immediately, click Apply Policy.
The security policy allows requests for the URL to access the resources of other websites hosted in a different domain according to the enforcement conditions that you configured.

How cross-domain request enforcement works

If you enable cross-domain request enforcement, the system must authorize requests (typically AJAX requests) made from one domain to another. When a client makes a request to another origin, the browser sends a preflight request to determine whether JavaScript from another domain may access your resource. The preflight request consists of an OPTIONS HTTP method and CORS-related headers.

The CORS-related headers that are included in a preflight request are:

Header Description
Origin Determines requesting origin.
Access-Control-Request-Method Indicates which methods are used in the actual request (other than simple methods).
Access-Control-Request-Headers Indicates which headers are used in the actual request (other than simple headers).

In response to the preflight request, the system uses these CORS response headers:

Header Description
Access-Control-Allow-Origin List of origins the resource may be shared among (support wildcard).
Access-Control-Allow-Credentials Indicates whether actual request may include user credentials (true/false).
Access-Control-Allow-Methods Indicates which methods can be used during the actual request.
Access-Control-Allow-Headers Indicates which request headers can be used during the actual request.
Access-Control-Max-Age Indicates how long (in seconds) to cache the results of a preflight request in the browser.
Access-Control-Expose-Headers Indicates which response headers are safe to expose to JavaScript.

The browser uses the response to determine whether to allow the JavaScript to make the actual request. If the cross-domain request is authorized, the server processes the actual requests by rechecking the origin and including another response header:

Header Description
Access-Control-Expose-Headers Indicates which response headers are safe to expose to JavaScript.

The browser then allows the foreign domain to send its original requests.

If you do not enable cross-domain request enforcement, the system removes all cross-origin request headers and CORS is not allowed for the URL.