x-frame-options settings not working in APM

Have you tried to change the apm.xframeoptions value?

 modify sys db apm.xframeoptions value none

Have you seen this SOL?

https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16642.html

-Seth

Hi Rabbit,

you may try to use...

when HTTP_RESPONSE_RELEASE {
    log local0.notice "removing header"
    HTTP::header remove X-Frame-Options
}

... HTTP_RESPONSE_RELEASE is the very last event before sending the response to the client.

Cheers, Kai

Try doing "bigstart restart". The ramcache in BIG-IP stores the pages for APM's HTTP server so that the server itself doesn't have to deal with incoming client requests. I tested this in v12.0 and it seems to be fine, but it does require a restart.

I personally prefer using of Content-Security-Policy and X-Content-Security-Policy, instead of X-Frame-Options.

X-Frame-Options header is not very flexible, especially if you want to allow your APM site to be rendered on more than just one site. This is the code I use, which is quite similar to Kai's and Rabbit23's code:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {

  set apm_csp "frame-ancestors 'self' developer.mozilla.org *.f5.com"

   X-Frame-Options, Content-Security-Policy, X-Content-Security-Policy
  
  HTTP::header remove X-Frame-Options
  HTTP::header remove Content-Security-Policy
  HTTP::header remove X-Content-Security-Policy

  HTTP::header insert Content-Security-Policy "$apm_csp"
  HTTP::header insert X-Content-Security-Policy "$apm_csp"
}

<p>In the example above your APM site will be allowed to be rendered inside an <code><iframe></code> on the site's own origin (this excludes subdomains), <code>developer.mozilla.org</code> and all <code>f5.com</code> subdomains.</p> <p>I really wish F5 stopped using <code>X-Frame-Options</code> and started using <code>Content-Security-Policy</code> and <code>X-Content-Security-Policy</code> instead.</p>