cancel
Showing results for 
Search instead for 
Did you mean: 

iFrames iRule

drodyc
Nimbostratus
Nimbostratus

The distant end customer is requesting for iFrame headers for their application via HTTPS. How would I activate iFrame headers with iRules?

 

Could I have one written out for a specific URL and one that is a generic iFrame header that will allow iFrame if requested?

 

I honestly am not sure how iFrame even works. I just know the distant end user needs the iFrame headers to come in so that their dashboard application works on firefox. Thank you so much

 

4 REPLIES 4

Hello Drodyc.

 

The iframes should be constructed in your backend server for being delived to your clients.

 

After that, you can use them in a different sites using something like this:

<iframe src="https://mydomain.com"></iframe>

For security reasons, one browser is not going to display iframes not belonging to the domain requested.

You can control that using one specific HTTP header called 'X-Frame-Options' (see https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Frame-Options).

 

So you can configure your website to allow iframes from 'mydomain.com' using this HTTP header.

X-Frame-Options: ALLOW-FROM https://mydomain.com/

This header could be controlled in your backend server o directly in your F5 with an iRule.

when HTTP_RESPONSE { #X-Frame-Options HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/" }

Regards,

Dario.

Regards,
Dario.

It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

 

  1. when HTTP_RESPONSE {
  2. #X-Frame-Options
  3. HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
  4. }

 

Is it recommended to use this iRule below?

  1. when HTTP_RESPONSE {
  2. HTTP::header replace X-Frame-Options "SAMEORIGIN"
  3. }

 

Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!

 

I agree with Dario that this seems a job for the Dev Team. F5 has options to modify the content in the server response with Stream profile or HTTP::payload replace but for such a thing it will be complicated:

 

 

https://support.f5.com/csp/article/K39394712

 

https://support.f5.com/csp/article/K7027

 

https://clouddocs.f5.com/api/irules/STREAM__expression.html

 

 

 

 

 

https://clouddocs.f5.com/api/irules/HTTP__payload.html

 

https://support.f5.com/csp/article/K07535385

 

It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

 

  1. when HTTP_RESPONSE {
  2. #X-Frame-Options
  3. HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
  4. }

 

Is it recommended to use this iRule below?

  1. when HTTP_RESPONSE {
  2. HTTP::header replace X-Frame-Options "SAMEORIGIN"
  3. }

 

Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!