Cisco Bug: CSCvv30506 - Websites that support CORS policy don't work via WSA when authentications enabled
Sep 19, 2020
- Cisco Web Security Appliance
Known Affected Releases
11.8.0-453 11.8.1-023 12.0.1-334
Symptom: Some websites are failing due to missing Access-Control-Allow-Origin header, which is being removed by WSA. We have some public websites that are using this feature to make sure that there's no cross site scripting attacks performed on their website, so they use this header to identify the requests origin. This issue mainly affects the WSA in transparent mode with authentication enabled where the WSA has to act as the Web server in transparent mode. Conditions: - Transparent deployment. (policy based routing PBR, or WCCP). - Authentication enabled. - Websites are having CORS policies enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases