Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Jan 28, 2016

x-frame-options settings not working in APM

I have /my.policy overwriting every attempt I've made to disable this clickjacking protection. I have a frame that needs to access APM and this damn header is constantly getting set. Using BIGIP 12, ...
BIG-IP Access Policy Manager (APM)
devops
iRules
Juraj's avatar
Juraj
Icon for Cirrus rankCirrus

I personally prefer using of Content-Security-Policy and X-Content-Security-Policy, instead of X-Frame-Options.

X-Frame-Options header is not very flexible, especially if you want to allow your APM site to be rendered on more than just one site. This is the code I use, which is quite similar to Kai's and Rabbit23's code:

 

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {

  set apm_csp "frame-ancestors 'self' developer.mozilla.org *.f5.com"

   X-Frame-Options, Content-Security-Policy, X-Content-Security-Policy
  
  HTTP::header remove X-Frame-Options
  HTTP::header remove Content-Security-Policy
  HTTP::header remove X-Content-Security-Policy

  HTTP::header insert Content-Security-Policy "$apm_csp"
  HTTP::header insert X-Content-Security-Policy "$apm_csp"
}

 

<p>In the example above your APM site will be allowed to be rendered inside an <code><iframe></code> on the site's own origin (this excludes subdomains), <code>developer.mozilla.org</code> and all <code>f5.com</code> subdomains.</p> <p>I really wish F5 stopped using <code>X-Frame-Options</code> and started using <code>Content-Security-Policy</code> and <code>X-Content-Security-Policy</code> instead.</p>

 

 

svs's avatar
svs
Icon for Cirrostratus rankCirrostratus
Dec 07, 2023

From my perspective your assumptions are not correct.

  1. XFO is still a recommended header, for legacy browsers. The OSHP still didn't deprecate this header, I assume for compatibilty.
  2. There is no longer a X-Content-Security-Policy. It was the experimental version of the CSP and IS, in fact, deprecated. This deprecation took place so long ago, that even the OSHP doesn't list it as deprecated. 😉

So, the native configuration method is outdated and cannot be used to solve this. XFO doesn't support allow-from as option anymore. Thefore, you can only use the CSP with frame-ancestor, as already stated. However, the examples above would overwrite any existing CSP from the origin webserver/application. A better approach can be found here: https://community.f5.com/t5/codeshare/irule-to-modify-a-content-security-policy-header/tac-p/325338#M5255 

This iRule only overwrites single directives from the CSP and leaves everything else as sent from the server. It works in cases where the origin server send a CSP and if not. Very handy! 👍