Bug ID 711546: Portal Access: 'X-Frame-Options: DENY' header may be erroneously added to HTTP response

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Fixed In:
14.1.0

Opened: Mar 22, 2018
Severity: 3-Major

Symptoms

If HTTP request origin URL contains explicit default port number, 'X-Frame-Options: DENY' header may be added to HTTP response by Portal Access.

Impact

In this case, Portal Access replaces 'X-Frame-Option' header value with 'DENY' string. Browser cannot show the page received from back-end server due to restriction caused by 'X-Frame-Options: DENY' response header.

Conditions

-- Same-origin HTTP request with explicit default port number in origin URL, for example: GET /frame.html HTTP/1.1 Host: http://some.com Origin: http://some.com:80/index.html Such a request may be produced by the browser parsing the following HTML page: <head><base href=http://some.com:80/index.html ></head> <iframe src=frame.html></iframe> -- HTTP response from back-end server with 'X-Frame-Option: SAMEORIGIN' header.

Workaround

Use iRule to remove 'X-Frame-Options: DENY' response header when necessary.

Fix Information

Now Portal Access handles correctly any same-origin HTTP requests with default HTTP port in the origin URL.

Behavior Change