Guest

Preview Tool

Cisco Bug: CSCvv30506 - Websites that support CORS policy don't work via WSA when authentications enabled

Last Modified

Sep 19, 2020

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

11.8.0-453 11.8.1-023 12.0.1-334

Description (partial)

Symptom:
Some websites are failing due to missing Access-Control-Allow-Origin header, which is being removed by WSA. We have some public websites that are using this feature to make sure that there's no cross site scripting attacks performed on their website, so they use this header to identify the requests origin.

This issue mainly affects the WSA in transparent mode with authentication enabled where the WSA has to act as the Web server in transparent mode.

Conditions:
- Transparent deployment. (policy based routing PBR, or WCCP). 
- Authentication enabled. 
- Websites are having CORS policies enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.