Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Apr 02, 2015

Apply APM to an iFrame - The content cannot be display in Frame

Hi,

 

We have an application and when you click a button, it makes a call to another virtual server and opens the windows in a iFrame.

 

When we apply our APM policy, it runs through specific checks but we receive an error: "The content cannot be display in Frame."

 

Is this an error caused by the F5 or our application? Reading this article http://stackoverflow.com/questions/14141388/iframe-this-content-cannot-be-displayed-in-a-frame

 

It appears to me this is an application security issue, not an F5. Is this possibility a IE issue?

 

  • Here's a representation of the issue. The background is virtual server A, I then click a button where it calls virtual server B through an iframe. The policy is applied to virtual server B only.

     

     

     

    • Seth_Cooper's avatar
      Seth_Cooper
      Icon for Employee rankEmployee
      What do you have set for the db options? What does it look like in an HTTPWatch? Seth
  • I've tried multiple options such as allow_from, same_origin.

    However, current DB options:

     list sys db apm.xframeoptions
     sys db apm.xframeoptions {
     value "same_origin"
     }
    
     list sys db apm.xframeoptions.allowfrom
     sys db apm.xframeoptions.allowfrom {
     value "https://debitcardapppp"
     }
    

    I've also tried adding an irule to one/both VS servers

     when HTTP_RESPONSE {
     HTTP::header replace X-Frame-Options "SAMEORIGIN"
     }
    

    I do not have the paid version of http watch and have been using fiddler. However, other than when my policy is accessed i see zero other x-frame-options.

    • Nfordhk_66801's avatar
      Nfordhk_66801
      Icon for Nimbostratus rankNimbostratus
      I've verified that shortname is being utilized. value "https://debitcardapppp" should be correct.
  • Try to set the option to "allow_from" and make sure the "allowfrom" is the page that is calling the iframe.

    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions
    sys db apm.xframeoptions {
        value "allow_from"
    }
    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions.allowfrom
    sys db apm.xframeoptions.allowfrom {
        value "http://x.x.x.x"
    }
    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)
    

    In this example x.x.x.x is the original website that has the frame for the VS embedded.

    Seth

  • You can set the option to "none".

    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions
    sys db apm.xframeoptions {
        value "none"
    }
    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)
    

    This should turn it off globally.

    Seth

  • Hi Alex,

    Here is an iRule workaround to use this for several sites.

    when CLIENT_ACCEPTED {
      ACCESS::restrict_irule_events disable
    }
    
    when HTTP_REQUEST {
      if { [ACCESS::session sid] == "" || ![ACCESS::session exists -state_allow] } {
         session does not exist in allow state, continue, user is logging in now
      } else {
         session already exists and is allowed, don't do anything, this will be the 99.9% case.
        return
      }
      if { [HTTP::uri] contains "renderer" } {
        return
      }
      if { [info exists frame_referer] } {
        return
      }
      set frame_referer [HTTP::header "Referer"]
    }
    
    when HTTP_RESPONSE_RELEASE {
    
       Update below to match your desired TLD
    
      if { [info exists frame_referer] && $frame_referer matches_regex {UPDATE_THIS} } {
        HTTP::header replace "X-Frame-Options" "ALLOW-FROM $frame_referer"
      }
    }
    

    Hope this helps!

    You need to have the db variable set to "allow_from"

    Seth

  • i found the way to prevent the dialog breaks out of the frame :

     

    1. go to the Access Policy -> Customization -> Advanced
    2. go to Access Profiles / / Access Policy / Logon Pages / Logon Page / logon.inc
    3. Search for if(self != top) { top.location = self.location; } and comment it out so it looks like this: //if(self != top) { top.location = self.location; }
    4. Save changes; Apply policy changes