OPTION call is getting fail with X-Frame-Options: ...

krushna_padhee_ · 12-11-2018 01:06 AM

Hi,

When we are hitting our edge api, we are getting HTTP/1.1 500 Internal Server Error with OPTION call at first. I am doubting on the X-Frame-Options: DENY. the error message is mentioned below.

HTTP/1.1 500 Internal Server Error Content-Security-Policy: frame-ancestors 'none' Content-Type: application/json Date: Mon, 10 Dec 2018 14:16:01 GMT Strict-Transport-Security: max-age=86400 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1 Content-Length: 123 Connection: keep-alive

I try to add <Header name="X-Frame-Options">SAMEORIGIN</Header> in the response header, but that is not helping.

Can you please help me how to handle this in edge.

Regards,

Krushna

More information:

I am calling the api from a gui where I am getting a "no content" error. when i check in the developer tool of chrome, I am getting the error I described above.

And when I am checking the trace in edge, in response sent to client although it is giving 200 OK, but proxy post client flow is showing 500 Internal Server Error and the request is giving 500 response at the end.

Hope this is helpful to diagnose the problem.

dchiesa1

we are getting HTTP/1.1 500 Internal Server Error

WHERE are we "getting" that?

Can you explain in more detail which system is generating the 500, which system is receiving it, and how you are observing that error? Is the target backend system sending that/? Is Apigee Edge generating the 500? (You will be able to tell, if you run a Trace for the API call)

With more detailed information, I can try to help.

krushna_padhee_

Hi Dino,

I am calling the api from a gui where I am getting a "no content" error. when i check in the developer tool of chrome, I am getting the below error.

HTTP/1.1 500 Internal Server Error Content-Security-Policy: frame-ancestors 'none' Content-Type: application/json Date: Mon, 10 Dec 2018 14:16:01 GMT Strict-Transport-Security: max-age=86400 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1 Content-Length: 123 Connection: keep-alive

And when I am checking the trace in edge, in response sent to client although it is giving 200 OK, but proxy post client flow is showing 500 Internal Server Error and the request is giving 500 response at the end.

Hope this is helpful to diagnose the problem.

dchiesa1

hi. Thanks for the additional information.

You said

In response sent to client although it is giving 200 OK, but proxy post client flow is showing 500 Internal Server Error

I don't understand why you say there was a 200 OK. It seems clear from the trace screenshot that the response is a 500.

Aside from that, ... looking at the trace I can see...

in the request flow, there is an AssignMessage policy. It apparently succeeds.
in the response flow, there is a sequence of 3 policies - AssignMessage, JavaScript, ServiceCallout. Is it possible that the ServiceCallout is failing (aka receiving a non-200 code) and leading to the 500 error that your API Proxy is returning?

The screenshot is helpful, but... the static picture still does not give complete information. YOU CAN LOOK in the trace, explore the trace UI, and see what each of those policies is doing. You will probably discover the source of the problem. This is where the Trace UI excels.

Good luck!

OPTION call is getting fail with X-Frame-Options: DENY