Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Jan 28, 2016

x-frame-options settings not working in APM

I have /my.policy overwriting every attempt I've made to disable this clickjacking protection. I have a frame that needs to access APM and this damn header is constantly getting set. Using BIGIP 12, I've run this in TMSH: tmsh modify /sys db apm.xframeoptions.allowfrom value none

Doesnt work...

tried it even in an iRule to replace or outright remove it:

when HTTP_REQUEST {

}
when HTTP_RESPONSE {
    log local0.notice "removing header"
   HTTP::header remove X-Frame-Options

}

 when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

Any advice welcome.

7 Replies

  • forgot to mention, the server response header is always X-Frame-Options: DENY. Closest I've come is to insert a header with that value but this results in duplicate headers.
  • Hi Rabbit,

    you may try to use...

     

    when HTTP_RESPONSE_RELEASE {
        log local0.notice "removing header"
        HTTP::header remove X-Frame-Options
    }
    

     

    ... HTTP_RESPONSE_RELEASE is the very last event before sending the response to the client.

    Cheers, Kai

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    Try doing "bigstart restart". The ramcache in BIG-IP stores the pages for APM's HTTP server so that the server itself doesn't have to deal with incoming client requests. I tested this in v12.0 and it seems to be fine, but it does require a restart.

     

    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Also: The thing that has to be "none" isn't apm.xframeoptions.allowfrom , it's apm.xframeoptions. The alowfrom sets the domains, not "none".
  • I personally prefer using of Content-Security-Policy and X-Content-Security-Policy, instead of X-Frame-Options.

    X-Frame-Options header is not very flexible, especially if you want to allow your APM site to be rendered on more than just one site. This is the code I use, which is quite similar to Kai's and Rabbit23's code:

     

    when CLIENT_ACCEPTED {
      ACCESS::restrict_irule_events disable
    }
    
    when HTTP_RESPONSE_RELEASE {
    
      set apm_csp "frame-ancestors 'self' developer.mozilla.org *.f5.com"
    
       X-Frame-Options, Content-Security-Policy, X-Content-Security-Policy
      
      HTTP::header remove X-Frame-Options
      HTTP::header remove Content-Security-Policy
      HTTP::header remove X-Content-Security-Policy
    
      HTTP::header insert Content-Security-Policy "$apm_csp"
      HTTP::header insert X-Content-Security-Policy "$apm_csp"
    }
    

     

    <p>In the example above your APM site will be allowed to be rendered inside an <code><iframe></code> on the site's own origin (this excludes subdomains), <code>developer.mozilla.org</code> and all <code>f5.com</code> subdomains.</p> <p>I really wish F5 stopped using <code>X-Frame-Options</code> and started using <code>Content-Security-Policy</code> and <code>X-Content-Security-Policy</code> instead.</p>

     

     

    • svs's avatar
      svs
      Icon for Cirrus rankCirrus

      From my perspective your assumptions are not correct.

      1. XFO is still a recommended header, for legacy browsers. The OSHP still didn't deprecate this header, I assume for compatibilty.
      2. There is no longer a X-Content-Security-Policy. It was the experimental version of the CSP and IS, in fact, deprecated. This deprecation took place so long ago, that even the OSHP doesn't list it as deprecated. ğŸ˜‰

      So, the native configuration method is outdated and cannot be used to solve this. XFO doesn't support allow-from as option anymore. Thefore, you can only use the CSP with frame-ancestor, as already stated. However, the examples above would overwrite any existing CSP from the origin webserver/application. A better approach can be found here: https://community.f5.com/t5/codeshare/irule-to-modify-a-content-security-policy-header/tac-p/325338#M5255 

      This iRule only overwrites single directives from the CSP and leaves everything else as sent from the server. It works in cases where the origin server send a CSP and if not. Very handy! ğŸ‘