Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1
Fixed In:
14.1.0
Opened: Mar 22, 2018 Severity: 3-Major
If HTTP request origin URL contains explicit default port number, 'X-Frame-Options: DENY' header may be added to HTTP response by Portal Access.
In this case, Portal Access replaces 'X-Frame-Option' header value with 'DENY' string. Browser cannot show the page received from back-end server due to restriction caused by 'X-Frame-Options: DENY' response header.
-- Same-origin HTTP request with explicit default port number in origin URL, for example: GET /frame.html HTTP/1.1 Host: http://some.com Origin: http://some.com:80/index.html Such a request may be produced by the browser parsing the following HTML page: <head><base href=http://some.com:80/index.html ></head> <iframe src=frame.html></iframe> -- HTTP response from back-end server with 'X-Frame-Option: SAMEORIGIN' header.
Use iRule to remove 'X-Frame-Options: DENY' response header when necessary.
Now Portal Access handles correctly any same-origin HTTP requests with default HTTP port in the origin URL.