Most often, I’ve wanted to strip off X-Frame-Options in extensions where it makes sense to keep a website open in an invisible persistent webpage (in MV2, this would’ve been background.js).
For example, I wrote a comparison shopping site for a client whose purpose was to compare the same exact product across multiple stores “as the user sees it” (logged in to account, with all personalized promos/deals/coupons, etc). Of the handful of stores checked, it would add the item to the cart at whichever store was cheapest.
These sites didn’t have APIs that could be checked. So we fell back to a scraper strategy: In order to do this, I iframed all of the relevant stores in background.js, had each site run a content script, and had the background page emulate user actions in each frame by sending messages that each was set up to respond to.
Stripping X-Frame-Options was critical for this method to work at all.
Situations like these where you want to create a “virtual local API” via scraping and emulating user actions aren’t really supported very well by MV3, so I’ve basically tossed this approach in the trash. Haven’t had a reason to try to strip X-Frame-Options so far since.
Earlier on we planned to limit modifications to headers like X-Frame-Options, but last time I spoke with the engineers working on declarativeNetRequest they indicated that we hadn't implemented these restrictions and did not plan to. Cuyler, have you tested this recently?
Unfortunately
issue 1247400 makes figuring out if your rules are behaving as expected even harder as not all modifications are reflected in DevTools.
Simeon - @dotproto
Chrome Extensions DevRel
E.g., there are tons of MV2 extensions in the past where I've needed to modify the X-Frame-Options response header as a fundamental requirement in order to get an extension to serve its purpose, and I don't think that's something I could change with MV3.
IIRC, it only works with an extremely limited number of very specific headers, and which headers these were wasn't easy/obvious to find.