Apply APM to an iFrame - The content cannot be display in Frame

Hi Nick,

This is by design to protect against Clickjacking. We insert the X-Frame-Options header in the server response and set it to DENY.

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_SheetDefending_with_X-Frame-Options_Response_Headers

You should be able to remove the header or modify it with an iRule if needed.

Regards,

Seth

Thanks Seth! I'll look into the documentation your provided.

Here's a representation of the issue. The background is virtual server A, I then click a button where it calls virtual server B through an iframe. The policy is applied to virtual server B only.

I've tried multiple options such as allow_from, same_origin.

However, current DB options:

 list sys db apm.xframeoptions
 sys db apm.xframeoptions {
 value "same_origin"
 }

 list sys db apm.xframeoptions.allowfrom
 sys db apm.xframeoptions.allowfrom {
 value "https://debitcardapppp"
 }

I've also tried adding an irule to one/both VS servers

 when HTTP_RESPONSE {
 HTTP::header replace X-Frame-Options "SAMEORIGIN"
 }

I do not have the paid version of http watch and have been using fiddler. However, other than when my policy is accessed i see zero other x-frame-options.

Try to set the option to "allow_from" and make sure the "allowfrom" is the page that is calling the iframe.

root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions
sys db apm.xframeoptions {
    value "allow_from"
}
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions.allowfrom
sys db apm.xframeoptions.allowfrom {
    value "http://x.x.x.x"
}
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)

In this example x.x.x.x is the original website that has the frame for the VS embedded.

Seth

You can set the option to "none".

root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions
sys db apm.xframeoptions {
    value "none"
}
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)

This should turn it off globally.

Seth

Hi Alex,

Here is an iRule workaround to use this for several sites.

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
  if { [ACCESS::session sid] == "" || ![ACCESS::session exists -state_allow] } {
     session does not exist in allow state, continue, user is logging in now
  } else {
     session already exists and is allowed, don't do anything, this will be the 99.9% case.
    return
  }
  if { [HTTP::uri] contains "renderer" } {
    return
  }
  if { [info exists frame_referer] } {
    return
  }
  set frame_referer [HTTP::header "Referer"]
}

when HTTP_RESPONSE_RELEASE {

   Update below to match your desired TLD

  if { [info exists frame_referer] && $frame_referer matches_regex {UPDATE_THIS} } {
    HTTP::header replace "X-Frame-Options" "ALLOW-FROM $frame_referer"
  }
}

Hope this helps!

You need to have the db variable set to "allow_from"

Seth

i found the way to prevent the dialog breaks out of the frame :

1. go to the Access Policy -> Customization -> Advanced
2. go to Access Profiles / / Access Policy / Logon Pages / Logon Page / logon.inc
3. Search for if(self != top) { top.location = self.location; } and comment it out so it looks like this: //if(self != top) { top.location = self.location; }
4. Save changes; Apply policy changes