Applies To:
Show VersionsBIG-IP ASM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Setting Up Cross-Domain Request Enforcement
About cross-domain request enforcement
Cross-Origin Resource Sharing (CORS) is an HTML5 feature that enables one website to access the resources of another website using JavaScript within the browser. On occasion, your web application might need to share resources with another external website that is hosted on a different domain. Using Application Security Manager™, you can safely allow CORS by specifying the conditions that state when a foreign web application is allowed to access your web application, after making a cross-domain request. This feature is called cross-domain request enforcement.
You enable cross-domain request enforcement as part of the Allowed URL properties within a security policy. Then you can specify which domains can access the response generated by requesting this URL (the “resource”), and also configure how to overwrite CORS response headers that are returned by the web server.
This feature does not affect internal redirection, which is always allowed. For example, Location: /anotherpage/onthisserver/internal_redirect.php would be allowed even if cross-domain request enforcement is enabled on the system.
Setting up cross-domain request enforcement
How cross-domain request enforcement works
If you enable cross-domain request enforcement, the system must authorize requests (typically AJAX requests) made from one domain to another. When a client makes a request to another origin, the browser sends a preflight request to determine whether JavaScript from another domain may access your resource. The preflight request consists of an OPTIONS HTTP method and CORS-related headers.
The CORS-related headers that are included in a preflight request are:
Header | Description |
---|---|
Origin | Determines requesting origin. |
Access-Control-Request-Method | Indicates which methods are used in the actual request (other than simple methods). |
Access-Control-Request-Headers | Indicates which headers are used in the actual request (other than simple headers). |
In response to the preflight request, the system uses these CORS response headers:
Header | Description |
---|---|
Access-Control-Allow-Origin | List of origins the resource may be shared among (support wildcard). |
Access-Control-Allow-Credentials | Indicates whether actual request may include user credentials (true/false). |
Access-Control-Allow-Methods | Indicates which methods can be used during the actual request. |
Access-Control-Allow-Headers | Indicates which request headers can be used during the actual request. |
Access-Control-Max-Age | Indicates how long (in seconds) to cache the results of a preflight request in the browser. |
Access-Control-Expose-Headers | Indicates which response headers are safe to expose to JavaScript. |
The browser uses the response to determine whether to allow the JavaScript to make the actual request. If the cross-domain request is authorized, the server processes the actual requests by rechecking the origin and including another response header:
Header | Description |
---|---|
Access-Control-Expose-Headers | Indicates which response headers are safe to expose to JavaScript. |
The browser then allows the foreign domain to send its original requests.
If you do not enable cross-domain request enforcement, the system removes all cross-origin request headers and CORS is not allowed for the URL.