Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

X-Frame-Options with deny does not block iframe

gongya
Nimbostratus
Nimbostratus

‎24-Nov-2021 09:42

I have an iRule as follows:

when HTTP_RESPONSE {

   if {!([HTTP::header exists "X-Frame-Options"])} {

       HTTP::header insert X-Frame-Options "DENY"

   }

}

 

I expected the following page was blocked.

<html>

 <iframe src="https://abc.org/wfc/logon" title="description"></iframe>

 <head></head>

 <body>

 </body>

</html>

 

But it was not blocked.

What did I miss here ?

 

thanks !!

Labels:
0 Kudos
3 REPLIES 3

gongya
Nimbostratus
Nimbostratus

‎24-Nov-2021 17:01

After more reading, it seems the x-frame-options prevents the page in my server from being loaded by someone else, right ?

If I loaded another page in the same server within iframe, the page should be loaded ?

When I tested it, the page was still loaded within <iframe> page </iframe>. Is this supposed to be?

0 Kudos

gongya
Nimbostratus
Nimbostratus

‎24-Nov-2021 17:02

How can I test a page blocked by x-frame-options DENY ?

 

0 Kudos

gongya
Nimbostratus
Nimbostratus

‎24-Nov-2021 19:01

I figured it out. thanks !!

0 Kudos
Copyright © 2023 Khoros, LLC