Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Apply APM to an iFrame - The content cannot be display in Frame

Hi,

We have an application and when you click a button, it makes a call to another virtual server and opens the windows in a iFrame.

When we apply our APM policy, it runs through specific checks but we receive an error: "The content cannot be display in Frame."

Is this an error caused by the F5 or our application? Reading this article http://stackoverflow.com/questions/14141388/iframe-this-content-cannot-be-displayed-in-a-frame

It appears to me this is an application security issue, not an F5. Is this possibility a IE issue?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can set the option to "none".

root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db apm.xframeoptions
sys db apm.xframeoptions {
    value "none"
}
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)#

This should turn it off globally.

Seth

1
Comments on this Answer
Comment made 22-Apr-2015 by Nfordhk 389
You've done it again! :) Very much appreciate all your help as always.
0
Comment made 22-May-2015 by Seth Cooper
To follow up on this... we now have a solution article published to discuss this feature. https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16642.html Seth
0
Comment made 16-Jun-2015 by amciver 0
Seth, This is working however the log in dialog via my.policy is breaking out of the iFrame which obviously fouls everything up. Is there a way to prevent the log in dialog from breaking out of the iFrame?
0
Comment made 01-Mar-2017 by amass87 83

What if the content behind the APM policy has to be in the iFrame for the application to function. How can I prompt for a login, without breaking the entirely HTTP flow out of the iFrame?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Nick,

This is by design to protect against Clickjacking. We insert the X-Frame-Options header in the server response and set it to DENY.

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers

You should be able to remove the header or modify it with an iRule if needed.

Regards,

Seth

1
Comments on this Answer
Comment made 06-Apr-2015 by Nfordhk 389
Hey Seth, I wanted to make sure I'm clear. The application provides the error "This content cannot be displayed in a frame" . It is the APM policy I believe attempting to hijack the frame for its "splash" page.
0
Comment made 06-Apr-2015 by Seth Cooper
So you have APM which includes a frame (adding it through advanced customization) or you have a application with a frame that points at APM? I'm not following the exact architecture here. When you say the application provides the error is that error inside the frame? You can use HTTPWatch to look at content and traffic flow. Seth
0
Comment made 21-Apr-2015 by Nfordhk 389
I'm sorry for my late response, I never saw yours come through. We have an appliction with a frame that points at the APM. Virtual server A, calls virtual server B (where APM is applied) through an Iframe. Yes the error is inside the frame.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It looks like there is a db variable to modify the behavior.

root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db apm.xframeoptions
    sys db apm.xframeoptions {
    value "deny"
}
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db apm.xframeoptions.allowfrom
    sys db apm.xframeoptions.allowfrom {
    value "<null>"
}
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)#

The apm.xframeoptions has the following values it can be set to:

-allow_from
-deny
-none
-same_origin

The apm.xframeoptions.allowfrom would be set to a value of http://host.domain.com:

# tmsh modify sys db apm.xframeoptions.allowfrom value http://host.domain.com

Here is the SOL that describes the clickjacking vulnerability.

https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14700.html

-Seth

1
Comments on this Answer
Comment made 04-Apr-2015 by boneyard 5637
good enough, thanks.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks Seth! I'll look into the documentation your provided.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Here's a photo of the issue. The background is virtual server A, I then click a button where it calls virtual server B through an iframe. The policy is applied to virtual server B only.

Image Text

0
Comments on this Answer
Comment made 21-Apr-2015 by Seth Cooper
What do you have set for the db options? What does it look like in an HTTPWatch? Seth
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I've tried multiple options such as allow_from, same_origin.

However, current DB options:

 list sys db apm.xframeoptions
 sys db apm.xframeoptions {
 value "same_origin"
 }

 list sys db apm.xframeoptions.allowfrom
 sys db apm.xframeoptions.allowfrom {
 value "https://debitcardapppp"
 }

I've also tried adding an irule to one/both VS servers

 when HTTP_RESPONSE {
 HTTP::header replace X-Frame-Options "SAMEORIGIN"
 }

I do not have the paid version of http watch and have been using fiddler. However, other than when my policy is accessed i see zero other x-frame-options.

0
Comments on this Answer
Comment made 21-Apr-2015 by Nfordhk 389
I've verified that shortname is being utilized. value "https://debitcardapppp" should be correct.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Try to set the option to "allow_from" and make sure the "allowfrom" is the page that is calling the iframe.

root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db apm.xframeoptions
sys db apm.xframeoptions {
    value "allow_from"
}
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db apm.xframeoptions.allowfrom
sys db apm.xframeoptions.allowfrom {
    value "http://x.x.x.x"
}
root@(cooper-apm-11-6-0)(cfg-sync Standalone)(Active)(/Common)(tmos)#

In this example x.x.x.x is the original website that has the frame for the VS embedded.

Seth

0
Comments on this Answer
Comment made 22-Apr-2015 by Nfordhk 389
That worked perfectly! Thanks again Seth! Am I able to add multiple values in the allowfrom field?
0
Comment made 22-Apr-2015 by Nfordhk 389
OR. Is there an irule to remove this header? I see it in fiddler as a response header. We tried irules to remove x-frame-options with no luck
0
Comment made 10-Jun-2015 by Alex Zurita 0
I am having a similar issue. Modifying the apm.xframeoptions.allow from works. However I need to do this with several sites and do not want to set the policy to none. Is there a way to do this with an irule? I have tried when HTTP_RESPONSE { HTTP::header replace X-Frame-Options "ALLOW-FROM https://sitexyz.com" } and that does not work, in fiddler I still see the header come across as deny.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Alex,

Here is an iRule workaround to use this for several sites.

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
  if { [ACCESS::session sid] == "" || ![ACCESS::session exists -state_allow] } {
    # session does not exist in allow state, continue, user is logging in now
  } else {
    # session already exists and is allowed, don't do anything, this will be the 99.9% case.
    return
  }
  if { [HTTP::uri] contains "renderer" } {
    return
  }
  if { [info exists frame_referer] } {
    return
  }
  set frame_referer [HTTP::header "Referer"]
}

when HTTP_RESPONSE_RELEASE {

  # Update below to match your desired TLD

  if { [info exists frame_referer] && $frame_referer matches_regex {UPDATE_THIS} } {
    HTTP::header replace "X-Frame-Options" "ALLOW-FROM $frame_referer"
  }
}

Hope this helps!

You need to have the db variable set to "allow_from"

Seth

0
Comments on this Answer
Comment made 16-Jun-2015 by amciver 0
Seth, This seems to be working for us however the log in dialog breaks out of the iFrame. Is there no way to prevent the log in dialog from busting out of the iFrame?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

i found the way to prevent the dialog breaks out of the frame :

  1. go to the Access Policy -> Customization -> Advanced
  2. go to Access Profiles / / Access Policy / Logon Pages / Logon Page / logon.inc
  3. Search for if(self != top) { top.location = self.location; } and comment it out so it looks like this: //if(self != top) { top.location = self.location; }
  4. Save changes; Apply policy changes
0