Getting around X-Frame-Options DENY in a Chrome extension? (2)
I have an iframe loading inside an extension page but unfortunately the document inside the iframe embeds its own iframes whose Content-Security-Policy I still can't circumvent with declarativeNetRequest. I'd like for all x-frame-options and Content-Security-Policy headers of all descendant iframes to be removed.
I expected that sub_frame in condition.resourceTypes would apply to all descendant iframes even those embedded within other iframes
I tried all the approaches from Getting around X-Frame-Options DENY in a Chrome extension?.
This:
{ header: "Content-Security-Policy", operation: "remove" }
removes Content-Security-Policy for the iframe embedded in the extension page. But the iframes embedded in the document inside that iframe still block. See the top right iframe doesn't load in the image below: 
And the error:
Refused to frame https://llxbet.NhosCored.conl because an ancestor violates the following Content Security Policy directive: "frame-ancestors self prod.whoscored.occloud.io prod.whoscored.occloud.io"
Thanks to @woxxom I've been able to get the embedded iframes to load by removing initiatorDomains:[runtimeId] and instead using tabIds:[tabId] and updating session rules instead of dynamic rules:
await browser.declarativeNetRequest.updateSessionRules({
removeRuleIds:[RULE.id],
addRules:[RULE],
})
On a sidenote, I found an unrelated error for my use case that says:
Uncaught SecurityError: Failed to read a named property 'document' from 'Window': Blocked a frame with origin "https://1xbet.whoscored.com" from accessing a cross m-origin frame.
This is the src of the parent iframe embedded in the extension page. I'm not sure if this is something I should worry about.
- Modifying the built-in newtab page
- Assign command keyboard shortcut from popup or options
- Simulate limited bandwidth from within Chrome?
- How to import ES6 modules in content script for Chrome Extension
- How can I get the URL of the current tab from a Google Chrome extension?
- How to use dynamic keys in Chrome local storage get and set?
- Chrome extension action.onClicked
- Unable to open Vue Devtools from Toggle or Select Components in Firefox/Chrome on macOS
- Getting around X-Frame-Options DENY in a Chrome extension? (2)
- Do source maps work for Chrome extensions?
- Is it possible to require npm modules in a chrome extension ?
- "Error: `sidePanel.open()` may only be called in response to a user gesture." Received this when open side panel with keyboard shortcut
- Optionally inject Content Script
- WebPRNT Star TSP - google chrome flag "Block insecure private network requests" not work
- Use `chrome.devtools.panels.create()` in Chrome Extension content script
- Chrome Extension: Google Photos API Returns "Insufficient Scopes" Despite Correct Setup
- How to Load Extensions Programmatically in Chrome Version 137+?
- Copy to clipboard in chrome extension V3
- 'unsafe-eval' on chrome extension
- In a Google Drive folder, have an external URL stored as a "file" that when clicked opens an external website
- Get all keys from Chrome Storage
- How to debug crashing Chrome browser extensions?
- What can cause a Chrome browser extension to crash?
- How do I make my code asynchronous ? (Google Chrome Extension)
- How to allow CSP for domains after specific prefix
- --load-extension parameter for chrome doesn't work
- How to download a CRX file from the Chrome web store for a given ID?
- Can you access chrome:// pages from an extension?
- Cannot install any chrome extensions"could not load background cript
- Chrome Extension - manifest.json load all js in folder