How to restrict declarativeNetRequest rule to requests originating from the extension's offscreen page
18 views
Skip to first unread message
Filipp Riabchun
Dec 3, 2024, 6:10:09 AM (yesterday) Dec 3
to Chromium Extensions
I'm embedding iframes in my offscreen page.The goal is to have an always-open hidden tab with the corresponding website where I can inject a script to interact with a notification service.
To do that, I need to interfere with the website's CSP. What I used to do with Manifest V2 was
```
browser.webRequest.onHeadersReceived.addListener(
({responseHeaders}) => ({
responseHeaders: responseHeaders
.filter(header => header.name.toLowerCase() !== 'x-frame-options')
.map(header =>
header.name.toLowerCase() === 'content-security-policy'
? {
...header,
value: header.value.replace('frame-ancestors', `frame-ancestors ${window.origin} `),
}
: header,
),
}),
{
urls: ['<all_urls>'],
types: ['sub_frame'],
},
['blocking', 'responseHeaders', isChrome && 'extraHeaders'].filter(Boolean),
)
```
I'm migrating to V3 and I'm trying to achieve it using
```
browser.declarativeNetRequest.updateDynamicRules({
removeRuleIds: [1],
addRules: [
{
id: 1,
priority: 1,
action: {
type: 'modifyHeaders',
responseHeaders: [
{
header: 'Content-Security-Policy',
operation: 'remove',
},
{
header: 'X-Frame-Options',
operation: 'remove',
},
],
},
condition: {
resourceTypes: ['sub_frame'],
initiatorDomains: [browser.runtime.id],
},
},
],
})
```
But looks like the `initiatorDomains` filter doesn't work properly with the requests originating from the offscreen page. Can it be that it works only with http(s):// schema? I don't want to omit the initiator filter because that would mean compromising the website's security
To do that, I need to interfere with the website's CSP. What I used to do with Manifest V2 was
```
browser.webRequest.onHeadersReceived.addListener(
({responseHeaders}) => ({
responseHeaders: responseHeaders
.filter(header => header.name.toLowerCase() !== 'x-frame-options')
.map(header =>
header.name.toLowerCase() === 'content-security-policy'
? {
...header,
value: header.value.replace('frame-ancestors', `frame-ancestors ${window.origin} `),
}
: header,
),
}),
{
urls: ['<all_urls>'],
types: ['sub_frame'],
},
['blocking', 'responseHeaders', isChrome && 'extraHeaders'].filter(Boolean),
)
```
I'm migrating to V3 and I'm trying to achieve it using
```
browser.declarativeNetRequest.updateDynamicRules({
removeRuleIds: [1],
addRules: [
{
id: 1,
priority: 1,
action: {
type: 'modifyHeaders',
responseHeaders: [
{
header: 'Content-Security-Policy',
operation: 'remove',
},
{
header: 'X-Frame-Options',
operation: 'remove',
},
],
},
condition: {
resourceTypes: ['sub_frame'],
initiatorDomains: [browser.runtime.id],
},
},
],
})
```
But looks like the `initiatorDomains` filter doesn't work properly with the requests originating from the offscreen page. Can it be that it works only with http(s):// schema? I don't want to omit the initiator filter because that would mean compromising the website's security
Reply all
Reply to author
Forward
0 new messages