Forum Discussion

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Oct 26, 2022
Solved

Applying APM on an iframe

Hello everyone,

I'm having this issue where APM-protected content fails to start APM session if called from an iFrame. 

The access session starts at client request time as expected, and I can see that APM responds with the redirect to /my.policy setting unique access session cookies (MRHSession, LastMRH_Session) .
I have noticed that when iframe tries to load GET /my.policy request, it does not retain those cookies, which I suspect being the reason request fails.
My access session times out with 0 received packets, from packet capture I see APM redirects client to /my.logout.php3?errorcode=19 page and on iFrame content I see APM page with "Access Denied" message.

Has anyone had this issue before? Any input is appreciated.

APM
application delivery
security
  • CA_Valli's avatar
    CA_Valli
    Dec 13, 2022

    So we did some more testing, and this is not going to work.

    We've worked with support and experimented with iRules to insert additional headers and cookies into the response, but the behaviour of CORS is that these are always going to be removed. And because APM relies heavily on cookies to function, it does mean that accessing APM-protected content from an iFrame will fail to work. 

14 Replies

Sort By
  • momahdy's avatar
    momahdy
    Icon for Employee rankEmployee
    Oct 26, 2022

    Hi,
    I believe I came across a similar case, you may want to check this link,
    https://community.f5.com/t5/technical-forum/apply-apm-to-an-iframe-the-content-cannot-be-display-in-frame/td-p/133029
    The comment with the resolution, stated the below,

    i found the way to prevent the dialog breaks out of the frame :

    1. go to the Access Policy -> Customization -> Advanced
    2. go to Access Profiles / / Access Policy / Logon Pages / Logon Page / logon.inc
    3. Search for if(self != top) { top.location = self.location; } and comment it out so it looks like this: //if(self != top) { top.location = self.location; }
    4. Save changes; Apply policy changes
    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP
      Oct 26, 2022

      Thanks for the very fast response. Will try this out and let you know. 

      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP
        Oct 27, 2022

        momahdy  I'm running BIG-IP version 16, logon.inc seems related to previous software versions and I have not found similar code in other ".inc" pages within advanced APM policy configuration menu.

         

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Dec 13, 2022

    So we did some more testing, and this is not going to work.

    We've worked with support and experimented with iRules to insert additional headers and cookies into the response, but the behaviour of CORS is that these are always going to be removed. And because APM relies heavily on cookies to function, it does mean that accessing APM-protected content from an iFrame will fail to work. 

    • AubreyKingF5's avatar
      AubreyKingF5
      Icon for Admin rankAdmin
      Jan 04, 2023

      Sorry about this! One thing.. and sorry I didn't see this until now.. one-connect on the VIP. Did support have you try this? 

      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP
        Jan 05, 2023

        Hello Aubrey, thanks for your input.
        We haven't tried Oneconnect, but since APM is in place and we're getting errors at authentication time, the BIG-IP never really forwards these packets to back-end anyways.