Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
May 17, 2017

Urgent assistance needed with ClickJacking iRule or HTTP Policy to cover multiple domains

We have an SSO (Single Sign On) solution that front ends several applications that use iFrames. It is also accessed via different domains that go back to the same VIP. Granted I don't fully understand the X-Frame Options, I do know that when we used sameorigin it broke one of the applications. We then applied the iRule below specifying one of the URLs it worked for said URL; however when we discovered there was another URL we found out those users had not been able to access the site since it was not covered by the Allow from. Can a wildcard be used or can a condition that looks at the URL and then inserts the X-Frame Option to allow from specific to that URL?

SSO URLs https://sso1.site.com https://sso2.site.com

This worked when users access their applications behind sso1.site.com, but not sso2.site.com.

when HTTP_RESPONSE {
   HTTP::header replace X-Frame-Options "ALLOW-FROM https://sso1.site.com"
}
iRules
LTM
security
  • Anesh's avatar
    Anesh
    Icon for Cirrostratus rankCirrostratus
    May 18, 2017

    Try this

    when HTTP_RESPONSE {
set host [string tolower [HTTP::host]
if {[class match  $host contains URLdatagroup]}
{
HTTP::header replace X-Frame-Options "ALLOW-FROM https://sso1.site.com"
}
else
{
HTTP::header replace X-Frame-Options "ALLOW-FROM https://sso2.site.com"
}

}
  • Anesh's avatar
    Anesh
    Icon for Cirrostratus rankCirrostratus
    May 18, 2017
    when HTTP_REQUEST { 
set host [string tolower [HTTP::host]
}
when HTTP_RESPONSE {
if {[class match  $host contains URLdatagroup]}
{
HTTP::header replace X-Frame-Options "ALLOW-FROM https://sso1.site.com"
}
else
{
HTTP::header replace X-Frame-Options "ALLOW-FROM https://sso2.site.com"
}

}