Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iFrames iRule

drodyc
Nimbostratus
Nimbostratus

‎18-May-2021 09:34

The distant end customer is requesting for iFrame headers for their application via HTTPS. How would I activate iFrame headers with iRules?

 

Could I have one written out for a specific URL and one that is a generic iFrame header that will allow iFrame if requested?

 

I honestly am not sure how iFrame even works. I just know the distant end user needs the iFrame headers to come in so that their dashboard application works on firefox. Thank you so much

 

Labels:
0 Kudos
4 REPLIES 4

Dario_Garrido
MVP
MVP

‎18-May-2021 11:48

Hello Drodyc.

 

The iframes should be constructed in your backend server for being delived to your clients.

 

After that, you can use them in a different sites using something like this:

<iframe src="https://mydomain.com"></iframe>

For security reasons, one browser is not going to display iframes not belonging to the domain requested.

You can control that using one specific HTTP header called 'X-Frame-Options' (see https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Frame-Options).

 

So you can configure your website to allow iframes from 'mydomain.com' using this HTTP header.

X-Frame-Options: ALLOW-FROM https://mydomain.com/

This header could be controlled in your backend server o directly in your F5 with an iRule.

when HTTP_RESPONSE { #X-Frame-Options HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/" }

Regards,

Dario.

Regards,
Dario.
0 Kudos

drodyc
Nimbostratus
Nimbostratus
In response to Dario_Garrido

‎27-May-2021 09:00

It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

 

  1. when HTTP_RESPONSE {
  2. #X-Frame-Options
  3. HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
  4. }

 

Is it recommended to use this iRule below?

  1. when HTTP_RESPONSE {
  2. HTTP::header replace X-Frame-Options "SAMEORIGIN"
  3. }

 

Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!

 

0 Kudos

Nikoolayy1
MVP
MVP

‎18-May-2021 23:12

I agree with Dario that this seems a job for the Dev Team. F5 has options to modify the content in the server response with Stream profile or HTTP::payload replace but for such a thing it will be complicated:

 

 

https://support.f5.com/csp/article/K39394712

 

https://support.f5.com/csp/article/K7027

 

https://clouddocs.f5.com/api/irules/STREAM__expression.html

 

 

 

 

 

https://clouddocs.f5.com/api/irules/HTTP__payload.html

 

https://support.f5.com/csp/article/K07535385

 

0 Kudos

drodyc
Nimbostratus
Nimbostratus
In response to Nikoolayy1

‎27-May-2021 09:00

It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

 

  1. when HTTP_RESPONSE {
  2. #X-Frame-Options
  3. HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
  4. }

 

Is it recommended to use this iRule below?

  1. when HTTP_RESPONSE {
  2. HTTP::header replace X-Frame-Options "SAMEORIGIN"
  3. }

 

Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!

 

0 Kudos
Copyright © 2023 Khoros, LLC