Forum Discussion
x-frame-options settings not working in APM
I personally prefer using of Content-Security-Policy and X-Content-Security-Policy, instead of X-Frame-Options.
X-Frame-Options header is not very flexible, especially if you want to allow your APM site to be rendered on more than just one site. This is the code I use, which is quite similar to Kai's and Rabbit23's code:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_RESPONSE_RELEASE {
set apm_csp "frame-ancestors 'self' developer.mozilla.org *.f5.com"
X-Frame-Options, Content-Security-Policy, X-Content-Security-Policy
HTTP::header remove X-Frame-Options
HTTP::header remove Content-Security-Policy
HTTP::header remove X-Content-Security-Policy
HTTP::header insert Content-Security-Policy "$apm_csp"
HTTP::header insert X-Content-Security-Policy "$apm_csp"
}
<p>In the example above your APM site will be allowed to be rendered inside an <code><iframe></code> on the site's own origin (this excludes subdomains), <code>developer.mozilla.org</code> and all <code>f5.com</code> subdomains.</p> <p>I really wish F5 stopped using <code>X-Frame-Options</code> and started using <code>Content-Security-Policy</code> and <code>X-Content-Security-Policy</code> instead.</p>
- svsDec 07, 2023Cirrostratus
From my perspective your assumptions are not correct.
- XFO is still a recommended header, for legacy browsers. The OSHP still didn't deprecate this header, I assume for compatibilty.
- There is no longer a X-Content-Security-Policy. It was the experimental version of the CSP and IS, in fact, deprecated. This deprecation took place so long ago, that even the OSHP doesn't list it as deprecated. 😉
So, the native configuration method is outdated and cannot be used to solve this. XFO doesn't support allow-from as option anymore. Thefore, you can only use the CSP with frame-ancestor, as already stated. However, the examples above would overwrite any existing CSP from the origin webserver/application. A better approach can be found here: https://community.f5.com/t5/codeshare/irule-to-modify-a-content-security-policy-header/tac-p/325338#M5255
This iRule only overwrites single directives from the CSP and leaves everything else as sent from the server. It works in cases where the origin server send a CSP and if not. Very handy! 👍
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com