Allow any same origin site inside an iframeon any page - without modifying request headers or proxy
78 views
Skip to first unread message
Charlie Mike
Jun 20, 2023, 5:04:45 AM6/20/23
to Chromium Extensions
A third party extension I've been playing around with inserts an iframe into the current page, that just displays the current page inside the iframe.
This iframe works on every single site I have tried, even sites with X-FRAME-OPTIONS: DENY. It does not modify the request or response headers apart from setting the User-Agent to a mobile device.
It also works on sites with frame-ancestors CSP header.
This extension is not using any proxy.
How on earth is this even possible? Any ideas for how this could possibly be achieved? I've scoured the internet for how this can be achieved and found absolutely nothing about it even being possible
This iframe works on every single site I have tried, even sites with X-FRAME-OPTIONS: DENY. It does not modify the request or response headers apart from setting the User-Agent to a mobile device.
It also works on sites with frame-ancestors CSP header.
This extension is not using any proxy.
How on earth is this even possible? Any ideas for how this could possibly be achieved? I've scoured the internet for how this can be achieved and found absolutely nothing about it even being possible
Oliver Dunk
Jun 20, 2023, 5:12:25 AM6/20/23
to Charlie Mike, Chromium Extensions
Hi Charlie,
If we could keep the conversation here it would avoid having two threads about the same topic: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/qzE9dC21Pec/m/F8i_Z95OBQAJ
Thanks!
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2f91f456-8434-4968-b986-431ea8f308den%40chromium.org.
Connor Talbot
Jun 20, 2023, 10:15:49 PM6/20/23
to Chromium Extensions
I’ve just tested another manifest V2 iframe extension that also uses webRequests (Not DNR) and it also appears to not set X-FRAME-OPTIONS but it works on all sites.
So I think yes this is definitely a bug with devtools Network tab
--
You received this message because you are subscribed to a topic in the Google Groups "Chromium Extensions" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-extensions/qSFi3P2Ip5o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-extens...@chromium.org.
Reply all
Reply to author
Forward
0 new messages