iFrame iRule

I am assuming in the second section that you meant to replace the X-Frame-Options header with "DENY" if the host name does not contain an element in the datagroup. (You have SAMEORIGIN for both the "then" and "else" portions of your "if" statement.) If so, something like this perhaps (syntax checked only):

when HTTP_REQUEST {
    # If client IP not allowed to connect,
    # redirect to HTTPS
    if { ![class match [IP::client_addr] equals xxx] } {
        #log local0. "Denied IP [IP::client_addr] Forwarding to HTTPS"
        HTTP::respond 301 Location: https://[HTTP::host][HTTP::uri]
    #} else {
        #log local0. "Allowed IP [IP::client_addr]"
    }
    # Set variable to HTTP host name
    # for HTTP response event use
    set host [string tolower [HTTP::host]]
}
 
when HTTP_RESPONSE {
    # Default is to deny iFrames
    HTTP::header replace X-Frame-Options "DENY"
    # If host name allows iFrame, replace
    # X-Frame-Options header with SAMEORIGIN
    if { [class match $host contains iFrameDataGroup] } {
        HTTP::header replace X-Frame-Options "SAMEORIGIN"
    }
}

I do not recommend leaving the log statements in production. I would comment them out, as shown in the example, unless they are needed for troubleshooting. I also assumed that iFrames were more often denied than allowed. If that is not the case, then you can put the HTTP::header replace with the DENY option as an else clause in the HTTP_RESPONSE section.

Lastly, in the first section, I changed the matchclass command to class match, as the latter is recommended over the former. (Matchclass is one of the older datagroup commands.)