Hosting the Page in IFRAME inside chrome extension whose X-FRAME is set to DENY or SAME ORIGIN.

451 views

Skip to first unread message

kapil ratra

unread,

Sep 18, 2015, 2:01:20 AM9/18/15

to Chromium-extensions

I was trying to host a web page in the chrome extension popup and was hitting error X-FRAME options set to deny or SAME ORIGIN. As an alternative approach I opened up the page in new chrome browser instance and injected the script into it so that i can send the message from the page to content script and then back to my popup page once the work is done in the new window . UI experience of this approach does not look good and hence wanted to go via Iframe route.

Can someone suggest the right approach by which we can host a web page in IFRAME in chrome extension popup and get around the deny and SAME ORIGIN. Also will this be correct with respect to security .

I came across this unanswerd blog but seems to me a hack. Hence wanted to get clarity on chromium - extension forum.

http://stackoverflow.com/questions/15532791/getting-around-x-frame-options-deny-in-a-chrome-extension

Thanks,

Kapil

Antony Sargent

unread,

Sep 18, 2015, 4:09:33 PM9/18/15

to kapil ratra, Chromium-extensions

That stack overflow post seems to be asking about a content script inserting the iframe into some http(s):// page where the content script is running, which may be slightly different from inserting the iframe into a chrome-extension:// url. If you haven't already, you might try seeing if it makes any difference if your extension has declared host permissions for the site you want to have in the iframe.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/f66415e1-2500-4ca3-9e4f-159f89bf8433%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

kapil ratra

unread,

Sep 21, 2015, 1:58:23 PM9/21/15

to Chromium-extensions, kapil...@gmail.com

Extension has declared allurl permissions. Is there any recommended way by which in chrome extension we can host an iframe whose source points to a page which has set XFRAME-OPTIONS DENY or SAMEORIGIN.

On Saturday, 19 September 2015 01:39:33 UTC+5:30, Antony Sargent wrote:

That stack overflow post seems to be asking about a content script inserting the iframe into some http(s):// page where the content script is running, which may be slightly different from inserting the iframe into a chrome-extension:// url. If you haven't already, you might try seeing if it makes any difference if your extension has declared host permissions for the site you want to have in the iframe.

On Thu, Sep 17, 2015 at 11:01 PM, kapil ratra <kapil...@gmail.com> wrote:

I was trying to host a web page in the chrome extension popup and was hitting error X-FRAME options set to deny or SAME ORIGIN. As an alternative approach I opened up the page in new chrome browser instance and injected the script into it so that i can send the message from the page to content script and then back to my popup page once the work is done in the new window . UI experience of this approach does not look good and hence wanted to go via Iframe route.

Can someone suggest the right approach by which we can host a web page in IFRAME in chrome extension popup and get around the deny and SAME ORIGIN. Also will this be correct with respect to security .
I came across this unanswerd blog but seems to me a hack. Hence wanted to get clarity on chromium - extension forum.

http://stackoverflow.com/questions/15532791/getting-around-x-frame-options-deny-in-a-chrome-extension

Thanks,
Kapil

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

Antony Sargent

unread,

Sep 21, 2015, 5:13:42 PM9/21/15

to kapil ratra, Chromium-extensions

You might be able to kill the X-Frame-Options header from incoming requests using the webRequest API. However, the X-Frame-Options header provides some important security capabilities so you should make very sure you understand the implications for your users' security of doing this (eg always removing that header for all requests unconditionally would be a *bad* idea; but doing it in some very targeted circumstance might be appropriate).

On Mon, Sep 21, 2015 at 10:58 AM, kapil ratra <kapil...@gmail.com> wrote:

Extension has declared allurl permissions. Is there any recommended way by which in chrome extension we can host an iframe whose source points to a page which has set XFRAME-OPTIONS DENY or SAMEORIGIN.

On Saturday, 19 September 2015 01:39:33 UTC+5:30, Antony Sargent wrote:

That stack overflow post seems to be asking about a content script inserting the iframe into some http(s):// page where the content script is running, which may be slightly different from inserting the iframe into a chrome-extension:// url. If you haven't already, you might try seeing if it makes any difference if your extension has declared host permissions for the site you want to have in the iframe.

On Thu, Sep 17, 2015 at 11:01 PM, kapil ratra <kapil...@gmail.com> wrote:

I was trying to host a web page in the chrome extension popup and was hitting error X-FRAME options set to deny or SAME ORIGIN. As an alternative approach I opened up the page in new chrome browser instance and injected the script into it so that i can send the message from the page to content script and then back to my popup page once the work is done in the new window . UI experience of this approach does not look good and hence wanted to go via Iframe route.

Can someone suggest the right approach by which we can host a web page in IFRAME in chrome extension popup and get around the deny and SAME ORIGIN. Also will this be correct with respect to security .
I came across this unanswerd blog but seems to me a hack. Hence wanted to get clarity on chromium - extension forum.

http://stackoverflow.com/questions/15532791/getting-around-x-frame-options-deny-in-a-chrome-extension

Thanks,
Kapil

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/f66415e1-2500-4ca3-9e4f-159f89bf8433%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/1952ed7c-fc39-4f0e-844f-98e91f6bd286%40chromium.org.

Reply all

Reply to author

Forward

0 new messages