Forum Discussion

MSK_222682's avatar
MSK_222682
Icon for Nimbostratus rankNimbostratus
May 18, 2016

Configuring X-Frame-Options Allow-From

Hi All,

I have been asked by the business to configure X-Frame-Options Allow-From in the response header. 

Quick search gave me the below iRule,

when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" “SAMEORIGIN)”} 

However, the value of the XFO is to be Allow-From. 

Can anyone please look into this for an appropriate iRule.

Thanks in advance,
MSK
  • It’s certainly doable but it’s a bit limiting solution for the customer. If you specify that Allow-From option, your customers will be restricted to Internet Explorer or Mozilla Firefox (Chrome, Chromium, Safari do not support Allow-From).

    For public-facing applications, there are two options - use SAMEORIGIN as the value for X-Frame-Options, or do not use X-Frame-Options at all. It's a pity that developers of major web browsers do not cooperate to align standards

    If you still want to go for it:

    when HTTP_RESPONSE {
    
      if { not([HTTP::header exists "X-Frame-Options"])}{
        HTTP::header insert X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
      } else {
        HTTP::header replace X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
      }
    
    }
    

    Have not tested for errors (please verify in QA, and check /var/log/ltm for TCL errors)

    Regards,

    • MSK_222682's avatar
      MSK_222682
      Icon for Nimbostratus rankNimbostratus
      Hi Hannes, Thanks for the quick response! I agreed with you that it's the developers job to include security elements in their design phase itself rather than later. With regards to the value, penetration results were successfully tested from IE11 & Firefox46 for this application with the value set to Allow-From. So, they want to deploy this solution on BIG-IP. Is it possible for you to share the iRule to set the X-Frame-Options header value to Allow-From. Thanks in advance, MSK
  • It’s certainly doable but it’s a bit limiting solution for the customer. If you specify that Allow-From option, your customers will be restricted to Internet Explorer or Mozilla Firefox (Chrome, Chromium, Safari do not support Allow-From).

    For public-facing applications, there are two options - use SAMEORIGIN as the value for X-Frame-Options, or do not use X-Frame-Options at all. It's a pity that developers of major web browsers do not cooperate to align standards

    If you still want to go for it:

    when HTTP_RESPONSE {
    
      if { not([HTTP::header exists "X-Frame-Options"])}{
        HTTP::header insert X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
      } else {
        HTTP::header replace X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
      }
    
    }
    

    Have not tested for errors (please verify in QA, and check /var/log/ltm for TCL errors)

    Regards,

    • MSK_222682's avatar
      MSK_222682
      Icon for Nimbostratus rankNimbostratus
      Hi Hannes, Thanks for the quick response! I agreed with you that it's the developers job to include security elements in their design phase itself rather than later. With regards to the value, penetration results were successfully tested from IE11 & Firefox46 for this application with the value set to Allow-From. So, they want to deploy this solution on BIG-IP. Is it possible for you to share the iRule to set the X-Frame-Options header value to Allow-From. Thanks in advance, MSK