Forum Discussion

Nfordhk_66801's avatar
Icon for Nimbostratus rankNimbostratus
Apr 02, 2015

Apply APM to an iFrame - The content cannot be display in Frame



We have an application and when you click a button, it makes a call to another virtual server and opens the windows in a iFrame.


When we apply our APM policy, it runs through specific checks but we receive an error: "The content cannot be display in Frame."


Is this an error caused by the F5 or our application? Reading this article


It appears to me this is an application security issue, not an F5. Is this possibility a IE issue?


10 Replies

  • i found the way to prevent the dialog breaks out of the frame :


    1. go to the Access Policy -> Customization -> Advanced
    2. go to Access Profiles / / Access Policy / Logon Pages / Logon Page /
    3. Search for if(self != top) { top.location = self.location; } and comment it out so it looks like this: //if(self != top) { top.location = self.location; }
    4. Save changes; Apply policy changes
  • Hi Alex,

    Here is an iRule workaround to use this for several sites.

      ACCESS::restrict_irule_events disable
    when HTTP_REQUEST {
      if { [ACCESS::session sid] == "" || ![ACCESS::session exists -state_allow] } {
         session does not exist in allow state, continue, user is logging in now
      } else {
         session already exists and is allowed, don't do anything, this will be the 99.9% case.
      if { [HTTP::uri] contains "renderer" } {
      if { [info exists frame_referer] } {
      set frame_referer [HTTP::header "Referer"]
       Update below to match your desired TLD
      if { [info exists frame_referer] && $frame_referer matches_regex {UPDATE_THIS} } {
        HTTP::header replace "X-Frame-Options" "ALLOW-FROM $frame_referer"

    Hope this helps!

    You need to have the db variable set to "allow_from"


  • You can set the option to "none".

    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions
    sys db apm.xframeoptions {
        value "none"
    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)

    This should turn it off globally.


  • Try to set the option to "allow_from" and make sure the "allowfrom" is the page that is calling the iframe.

    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions
    sys db apm.xframeoptions {
        value "allow_from"
    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos) list sys db apm.xframeoptions.allowfrom
    sys db apm.xframeoptions.allowfrom {
        value "http://x.x.x.x"
    root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)

    In this example x.x.x.x is the original website that has the frame for the VS embedded.


  • I've tried multiple options such as allow_from, same_origin.

    However, current DB options:

     list sys db apm.xframeoptions
     sys db apm.xframeoptions {
     value "same_origin"
     list sys db apm.xframeoptions.allowfrom
     sys db apm.xframeoptions.allowfrom {
     value "https://debitcardapppp"

    I've also tried adding an irule to one/both VS servers

     when HTTP_RESPONSE {
     HTTP::header replace X-Frame-Options "SAMEORIGIN"

    I do not have the paid version of http watch and have been using fiddler. However, other than when my policy is accessed i see zero other x-frame-options.

    • Nfordhk_66801's avatar
      Icon for Nimbostratus rankNimbostratus
      I've verified that shortname is being utilized. value "https://debitcardapppp" should be correct.
  • Here's a representation of the issue. The background is virtual server A, I then click a button where it calls virtual server B through an iframe. The policy is applied to virtual server B only.




    • Seth_Cooper's avatar
      Icon for Employee rankEmployee
      What do you have set for the db options? What does it look like in an HTTPWatch? Seth