Forum Discussion
Apply APM to an iFrame - The content cannot be display in Frame
Hi,
We have an application and when you click a button, it makes a call to another virtual server and opens the windows in a iFrame.
When we apply our APM policy, it runs through specific checks but we receive an error: "The content cannot be display in Frame."
Is this an error caused by the F5 or our application? Reading this article http://stackoverflow.com/questions/14141388/iframe-this-content-cannot-be-displayed-in-a-frame
It appears to me this is an application security issue, not an F5. Is this possibility a IE issue?
- Seth_CooperEmployee
Hi Nick,
This is by design to protect against Clickjacking. We insert the X-Frame-Options header in the server response and set it to DENY.
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
You should be able to remove the header or modify it with an iRule if needed.
Regards,
Seth
- Nfordhk_66801Nimbostratus
Thanks Seth! I'll look into the documentation your provided.
- Nfordhk_66801Nimbostratus
Here's a representation of the issue. The background is virtual server A, I then click a button where it calls virtual server B through an iframe. The policy is applied to virtual server B only.
- Seth_CooperEmployeeWhat do you have set for the db options? What does it look like in an HTTPWatch? Seth
- Nfordhk_66801Nimbostratus
I've tried multiple options such as allow_from, same_origin.
However, current DB options:
list sys db apm.xframeoptions sys db apm.xframeoptions { value "same_origin" } list sys db apm.xframeoptions.allowfrom sys db apm.xframeoptions.allowfrom { value "https://debitcardapppp" }
I've also tried adding an irule to one/both VS servers
when HTTP_RESPONSE { HTTP::header replace X-Frame-Options "SAMEORIGIN" }
I do not have the paid version of http watch and have been using fiddler. However, other than when my policy is accessed i see zero other x-frame-options.
- Nfordhk_66801NimbostratusI've verified that shortname is being utilized. value "https://debitcardapppp" should be correct.
- Seth_CooperEmployee
Try to set the option to "allow_from" and make sure the "allowfrom" is the page that is calling the iframe.
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions sys db apm.xframeoptions { value "allow_from" } root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions.allowfrom sys db apm.xframeoptions.allowfrom { value "http://x.x.x.x" } root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)
In this example x.x.x.x is the original website that has the frame for the VS embedded.
Seth
- Seth_CooperEmployee
You can set the option to "none".
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions sys db apm.xframeoptions { value "none" } root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)
This should turn it off globally.
Seth
- Seth_CooperEmployee
Hi Alex,
Here is an iRule workaround to use this for several sites.
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [ACCESS::session sid] == "" || ![ACCESS::session exists -state_allow] } { session does not exist in allow state, continue, user is logging in now } else { session already exists and is allowed, don't do anything, this will be the 99.9% case. return } if { [HTTP::uri] contains "renderer" } { return } if { [info exists frame_referer] } { return } set frame_referer [HTTP::header "Referer"] } when HTTP_RESPONSE_RELEASE { Update below to match your desired TLD if { [info exists frame_referer] && $frame_referer matches_regex {UPDATE_THIS} } { HTTP::header replace "X-Frame-Options" "ALLOW-FROM $frame_referer" } }
Hope this helps!
You need to have the db variable set to "allow_from"
Seth
- Joni_Jachniuk_3Nimbostratus
i found the way to prevent the dialog breaks out of the frame :
- go to the Access Policy -> Customization -> Advanced
- go to Access Profiles / / Access Policy / Logon Pages / Logon Page / logon.inc
- Search for if(self != top) { top.location = self.location; } and comment it out so it looks like this: //if(self != top) { top.location = self.location; }
- Save changes; Apply policy changes
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com