cancel
Showing results for 
Search instead for 
Did you mean: 

X-Frame-Options with deny does not block iframe

gongya
Nimbostratus
Nimbostratus

I have an iRule as follows:

when HTTP_RESPONSE {

   if {!([HTTP::header exists "X-Frame-Options"])} {

       HTTP::header insert X-Frame-Options "DENY"

   }

}

 

I expected the following page was blocked.

<html>

 <iframe src="https://abc.org/wfc/logon" title="description"></iframe>

 <head></head>

 <body>

 </body>

</html>

 

But it was not blocked.

What did I miss here ?

 

thanks !!

3 REPLIES 3

gongya
Nimbostratus
Nimbostratus

After more reading, it seems the x-frame-options prevents the page in my server from being loaded by someone else, right ?

If I loaded another page in the same server within iframe, the page should be loaded ?

When I tested it, the page was still loaded within <iframe> page </iframe>. Is this supposed to be?

gongya
Nimbostratus
Nimbostratus

How can I test a page blocked by x-frame-options DENY ?

 

gongya
Nimbostratus
Nimbostratus

I figured it out. thanks !!