iFrames iRule

drodyc · ‎18-May-2021

The distant end customer is requesting for iFrame headers for their application via HTTPS. How would I activate iFrame headers with iRules?

Could I have one written out for a specific URL and one that is a generic iFrame header that will allow iFrame if requested?

I honestly am not sure how iFrame even works. I just know the distant end user needs the iFrame headers to come in so that their dashboard application works on firefox. Thank you so much

Dario_Garrido · ‎18-May-2021

Hello Drodyc.

The iframes should be constructed in your backend server for being delived to your clients.

After that, you can use them in a different sites using something like this:

<iframe src="https://mydomain.com"></iframe>

For security reasons, one browser is not going to display iframes not belonging to the domain requested.

You can control that using one specific HTTP header called 'X-Frame-Options' (see https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Frame-Options).

So you can configure your website to allow iframes from 'mydomain.com' using this HTTP header.

X-Frame-Options: ALLOW-FROM https://mydomain.com/

This header could be controlled in your backend server o directly in your F5 with an iRule.

when HTTP_RESPONSE {
	#X-Frame-Options
	HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
}

Regards,

Dario.

Regards,
Dario.

drodyc · ‎27-May-2021

It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

when HTTP_RESPONSE {
#X-Frame-Options
HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
}

Is it recommended to use this iRule below?

when HTTP_RESPONSE {
HTTP::header replace X-Frame-Options "SAMEORIGIN"
}

Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!

Nikoolayy1 · ‎18-May-2021

I agree with Dario that this seems a job for the Dev Team. F5 has options to modify the content in the server response with Stream profile or HTTP::payload replace but for such a thing it will be complicated:

https://support.f5.com/csp/article/K39394712

https://support.f5.com/csp/article/K7027

https://clouddocs.f5.com/api/irules/STREAM__expression.html

https://clouddocs.f5.com/api/irules/HTTP__payload.html

https://support.f5.com/csp/article/K07535385

drodyc · ‎27-May-2021

It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

when HTTP_RESPONSE {
#X-Frame-Options
HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
}

Is it recommended to use this iRule below?

when HTTP_RESPONSE {
HTTP::header replace X-Frame-Options "SAMEORIGIN"
}

Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!

DevCentral

iFrames iRule

Register For AppWorld 2024

DevCentral Podcasts