Yep, THIS IS DANGEROUS, but you can strip the X-Frame-Options header from a response using the Declarative Net Request API. In order to help protect your users from cross-site scripting attacks, I'd STRONGLY recommend that you ONLY strip this header on requests for (1) iframed pages (2) on specific domains (3) loaded on your extension's pages.
chrome.declarativeNetRequest.updateDynamicRules({
removeRuleIds: [1],
addRules: [{
id: 1,
condition: {
resourceTypes: ["sub_frame"], // (1) iframed pages
initiatorDomains: [chrome.runtime.id], // (3) loaded on your extension's pages
},
action: {
type: "modifyHeaders",
responseHeaders: [{
operation: "remove",
header: "X-Frame-Options",
}]
},
}]
});
Note that stripping security headers like this requires you to have host permissions for the affected domain. If you've already got host permissions and don't want users to see a warning about blocking content on all sites, you will most likely want to use the declarativeNetRequestWithHostAccess permission.
Simeon - @dotproto
Chrome Extensions DevRel