Forum Discussion
Rabbit23_116296
Nimbostratus
Nimbostratusx-frame-options settings not working in APM
I have /my.policy overwriting every attempt I've made to disable this clickjacking protection. I have a frame that needs to access APM and this damn header is constantly getting set. Using BIGIP 12, I've run this in TMSH: tmsh modify /sys db apm.xframeoptions.allowfrom value none
Doesnt work...
tried it even in an iRule to replace or outright remove it:
when HTTP_REQUEST {
}
when HTTP_RESPONSE {
log local0.notice "removing header"
HTTP::header remove X-Frame-Options
}
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
Any advice welcome.
Rabbit23_116296forgot to mention, the server response header is always X-Frame-Options: DENY. Closest I've come is to insert a header with that value but this results in duplicate headers.- Seth_Cooper
Employee
Have you tried to change the apm.xframeoptions value?
modify sys db apm.xframeoptions value noneHave you seen this SOL?
https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16642.html
-Seth
- Kai_Wilke
MVP
Hi Rabbit,
you may try to use...
when HTTP_RESPONSE_RELEASE { log local0.notice "removing header" HTTP::header remove X-Frame-Options }... HTTP_RESPONSE_RELEASE is the very last event before sending the response to the client.
Cheers, Kai
Try doing "bigstart restart". The ramcache in BIG-IP stores the pages for APM's HTTP server so that the server itself doesn't have to deal with incoming client requests. I tested this in v12.0 and it seems to be fine, but it does require a restart.
- Also: The thing that has to be "none" isn't apm.xframeoptions.allowfrom , it's apm.xframeoptions. The alowfrom sets the domains, not "none".
JurajCirrus
I personally prefer using of Content-Security-Policy and X-Content-Security-Policy, instead of X-Frame-Options.
X-Frame-Options header is not very flexible, especially if you want to allow your APM site to be rendered on more than just one site. This is the code I use, which is quite similar to Kai's and Rabbit23's code:
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_RESPONSE_RELEASE { set apm_csp "frame-ancestors 'self' developer.mozilla.org *.f5.com" X-Frame-Options, Content-Security-Policy, X-Content-Security-Policy HTTP::header remove X-Frame-Options HTTP::header remove Content-Security-Policy HTTP::header remove X-Content-Security-Policy HTTP::header insert Content-Security-Policy "$apm_csp" HTTP::header insert X-Content-Security-Policy "$apm_csp" }<p>In the example above your APM site will be allowed to be rendered inside an <code><iframe></code> on the site's own origin (this excludes subdomains), <code>developer.mozilla.org</code> and all <code>f5.com</code> subdomains.</p> <p>I really wish F5 stopped using <code>X-Frame-Options</code> and started using <code>Content-Security-Policy</code> and <code>X-Content-Security-Policy</code> instead.</p>
svsCirrostratus
From my perspective your assumptions are not correct.
- XFO is still a recommended header, for legacy browsers. The OSHP still didn't deprecate this header, I assume for compatibilty.
- There is no longer a X-Content-Security-Policy. It was the experimental version of the CSP and IS, in fact, deprecated. This deprecation took place so long ago, that even the OSHP doesn't list it as deprecated. 😉
So, the native configuration method is outdated and cannot be used to solve this. XFO doesn't support allow-from as option anymore. Thefore, you can only use the CSP with frame-ancestor, as already stated. However, the examples above would overwrite any existing CSP from the origin webserver/application. A better approach can be found here: https://community.f5.com/t5/codeshare/irule-to-modify-a-content-security-policy-header/tac-p/325338#M5255
This iRule only overwrites single directives from the CSP and leaves everything else as sent from the server. It works in cases where the origin server send a CSP and if not. Very handy! 👍
