Forum Discussion
First off, are you updating the policy and then applying the policy?
I have implemented this in my environment with success. Enforce works works with a list of explicit origins and replaces all CORS headers (you cannot remove/replace/manipulate/modify specific headers). Replace option allows you to remove/replace/manipulate/modify specific headers based on your configuration.
"""
Replace CORS headers (HTTP URLs only): Replace the CORS header in the response with another header specified on the tab, including allowed origins, allowed methods, allowed headers, and so on. The browser enforces the policy.
Enforce on ASM: Allow cross-origin resource sharing as configured. CORS requests are allowed from the domains specified as allowed origins. ASM enforces the policy.
"""
"""
Disabled: The system does not enforce CORS headers.
Remove all CORS headers: The system removes all CORS headers.
Replace CORS headers: The system replaces CORS headers.
Enforce on ASM: The system removes all CORS headers and replaces them.
"""
"Help" tab in BIG-IP system