Is possible to load site with X-Frame-Options: SAMEORIGIN in iFrame?

[Uladzimir Yankovich]

Colleagues, I need your help. Does extensions v3 have any way to make sites that have installed X-Frame-Options: SAMEORIGIN load in iFrame?

I'm actually wondering if it's possible to move an extension like https://chrome.google.com/webstore/detail/black-menu-for-google/eignhdfgaldabilaaegmdfbajngjmoke to manifest v3 

[Simeon Vincent]

Does extensions v3 have any way to make sites that have installed X-Frame-Options: SAMEORIGIN load in iFrame?

Yep, THIS IS DANGEROUS, but you can strip the X-Frame-Options header from a response using the Declarative Net Request API. In order to help protect your users from cross-site scripting attacks, I'd STRONGLY recommend that you ONLY strip this header on requests for (1) iframed pages (2) on specific domains (3) loaded on your extension's pages.

chrome.declarativeNetRequest.updateDynamicRules({

removeRuleIds: [1],

addRules: [{

id: 1,

condition: {

resourceTypes: ["sub_frame"], // (1) iframed pages

requestDomains: ["hip-amber-trawler.glitch.me"], // (2) on specific domains

initiatorDomains: [chrome.runtime.id], // (3) loaded on your extension's pages

},

action: {

type: "modifyHeaders",

responseHeaders: [{

operation: "remove",

header: "X-Frame-Options",

}]

},

}]

});

Note that stripping security headers like this requires you to have host permissions for the affected domain. If you've already got host permissions and don't want users to see a warning about blocking content on all sites, you will most likely want to use the declarativeNetRequestWithHostAccess permission.

Simeon - @dotproto

Chrome Extensions DevRel

On Thu, Aug 4, 2022 at 1:35 PM Uladzimir Yankovich <yankovic...@gmail.com> wrote:

Colleagues, I need your help. Does extensions v3 have any way to make sites that have installed X-Frame-Options: SAMEORIGIN load in iFrame?

I'm actually wondering if it's possible to move an extension like https://chrome.google.com/webstore/detail/black-menu-for-google/eignhdfgaldabilaaegmdfbajngjmoke to manifest v3 

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/0ab50c57-aa35-4758-98a6-1e1aafc15ddbn%40chromium.org.

[Uladzimir Yankovich]

God, what an idiot I am that I didn't ask this question here a year ago :(

Simeon, thank you so much for the detailed answer!

[wOxxOm]

FWIW, it's an old thing described in https://stackoverflow.com/q/15532791.

[Uladzimir Yankovich]

wOxxOm, thank you very much; I will keep that link. Your response, as always appreciated!

[Juraj M.]

What's the difference between "initiatorDomains" and "domains"?

Should one set both to extension ID?

I'm reading the docs but they both sounds the same:

https://developer.chrome.com/docs/extensions/reference/declarativeNetRequest/#type-RuleCondition

[wOxxOm]

`domains` is the old deprecated thing that conflated two concepts. Now there are two separate ways to specify the domain of the initiator (e.g. the URL of the page) and of the requested resource, the latter being a convenient alternative for urlFilter: '||domain/' and even better because it allows specifying an array of domains.

[Juraj M.]

Oh, I totally missed the deprecation statement! I must be blind... or I'm just used to MDN docs more :).

Thank you for pointing this out!

PS: considering updating your amazing StackOverflow answer :)

[Glen Chiacchieri]

Hey, is the technique Simeon described in this thread still supposed to work? I just made a minimal repository to recreate the functionality (omitting requestDomains and including <all_urls> in hostPerimissions for my use case) and it doesn't work — the site in an iframe in the action popup window refuses to connect. Can anyone take a look and tell me what isn't working? I've played with it a bunch and been unable to ever get it working.

https://github.com/Glench/iframe-demo-extension

[wOxxOm]

Glen Chiacchieri, that site is using its own service worker to replace network requests with cached responses, i.e. on subsequent navigation there's no network request at all and hence declarativeNetRequest does nothing. You need to unregister that service worker and clear its cache every time you display the iframe i.e. you may want to add the iframe element using appendChild() in your popup script after clearing chrome.browsingData. Example: https://stackoverflow.com/a/74823389.

[Glen Chiacchieri]

Oh wow, I see, so the initial response was cached in the service worker and so declarativeNetRequest could never run after. Thanks so much! Got it to work using your advice.

However, now I'm running into another issue. One site I tried to embed had an iframe inside the frame I was embedding. That child iframe somehow didn't hit declarativeNetRequest and the Content Security Policy raises a "frame-ancestors 'self'" exception. In the MV2 version this site was working fine. Any advice?

[wOxxOm]

Assuming your code uses `initiatorDomains: [chrome.runtime.id]` it means the rule won't apply to a grand-child iframe. A possible solution is to add the hostname of the main iframe to initiatorDomains.

[Glen Chiacchieri]

Ah ha, that did it! I really do appreciate your help.

[anton]

It is very strange that declarativeNetRequest does not provide the ability to filter by frameId. webRequest has this feature, but webRequestBlocking is not available in the v3 manifest. But you can vote for the ability to filter by frameId in declarativeNetRequest https://issues.chromium.org/issues/40068586

среда, 1 февраля 2023 г. в 04:26:48 UTC+6, Glen Chiacchieri: