Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3 HF2
Opened: Mar 16, 2015 Severity: 3-Major
The REST API for URLs was missing a field for Clickjacking Protection configuration. When trying to configure that 'Rendering in Frames' should only be allowed from a single URL, there is no field to specify that URL.
A REST API client is unable to correctly configure protection that is meant to be allowed only from a specified URL.
REST API is being used to configure Clickjacking Protection for URLs.
Configure via the GUI instead of REST.
This release adds the missing field for REST to specify the 'only-from' clickjacking URL: 'allowRenderingInFramesOnlyFrom'.