Forum Discussion

gongya's avatar
gongya
Icon for Altocumulus rankAltocumulus
Nov 24, 2021

X-Frame-Options with deny does not block iframe

I have an iRule as follows:

when HTTP_RESPONSE {

   if {!([HTTP::header exists "X-Frame-Options"])} {

       HTTP::header insert X-Frame-Options "DENY"

   }

}

 

I expected the following page was blocked.

<html>

 <iframe src="https://abc.org/wfc/logon" title="description"></iframe>

 <head></head>

 <body>

 </body>

</html>

 

But it was not blocked.

What did I miss here ?

 

thanks !!

  • After more reading, it seems the x-frame-options prevents the page in my server from being loaded by someone else, right ?

    If I loaded another page in the same server within iframe, the page should be loaded ?

    When I tested it, the page was still loaded within <iframe> page </iframe>. Is this supposed to be?

  • How can I test a page blocked by x-frame-options DENY ?