Jump to content
Welcome to our new Citrix community!

Use AAA vserver in iframe - modify X-Frame-Options header

Ross Bender

Recommended Posts

We are wanting to include some of our websites in an iframe, and the websites use a AAA virtual server for authentication. The browser is currently blocking the iframe because of the X-Frame-Options header from the AAA server:

Refused to display 'https://mycompany.com/site' in a frame because it set 'X-Frame-Options' to 'sameorigin'.


We have our AAA virtual server set up behind a content switching virtual server. I thought I would be able to solve this with a rewrite policy, but when I bind the policy to the CSVS, it is never hit. There is no way to bind rewrite polices to the AAA virtual server.


Has anyone faced this problem before? If so, how can the AAA virtual server be modified so that X-Frame-Options header can be set so the site can be used in an iframe?

Link to comment
Share on other sites

Here is a sample config with global bindings, this will drop the existing X-Frame-Options and add a new one. 

replace with your aaa vserver / CS Vserver fqdn


add rewrite action drpact delete_http_header X-Frame-Options
add rewrite action insAct insert_http_header X-Frame-Options "\"ALLOW-FROM https://mywebsite.com\""

add rewrite policy drop_xframe "http.REQ.HOSTNAME.CONTAINS(\"\")" drpact
add rewrite policy add_xframe "http.REQ.HOSTNAME.CONTAINS(\"\")" insAct

bind rewrite global drop_xframe 100 NEXT -type RES_OVERRIDE
bind rewrite global add_xframe 110 END -type RES_OVERRIDE


Link to comment
Share on other sites

  • 2 weeks later...

Not sure of your use case of putting the AAA Vserver page in an iframe and whether the use case itself is feasible or not..  but when you say not working is it you're not seeing policy getting hit ? not seeing the header being modified ? or it's modified but the page does not load in the iframe ? 


As far as putting the AAA Vserver in an iframe goes - I tried using CSP as browser support for x-frame-options support seems limited, and its seems to be working for me, see below aaa.training.lab is the aaa url and testsite.com is the site embedding this in an iframe.




Policy binding has to be in Override Global bind point, first policy to drop the xframe-options header and the second one to insert the CSP.



PS - It is true that there are limitations on what you can and cannot do with AAA Vserver response using a rewrite - like you cannot alter auth cookies and customizations like these will not be supported by Tech Support.  It's more of a use at your own risk proposition, so please test thoroughly.


Link to comment
Share on other sites

Odd, I'm not able to see any policy hits when binding them to override global--even if I make the policy expression completely generic ("true"). Neither policy gets hit. Version 12.1 build 43.29.


I'll have to do more looking at Content-Security-Policy vs X-Frame-Options. I hadn't looked at former I just saw we were getting errors related to X-Frame-Options.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...