Getting around X-Frame-Options DENY in a Chrome extension? (2)
I have an iframe loading inside an extension page but unfortunately the document inside the iframe embeds its own iframes whose Content-Security-Policy I still can't circumvent with declarativeNetRequest. I'd like for all x-frame-options and Content-Security-Policy headers of all descendant iframes to be removed.
I expected that sub_frame in condition.resourceTypes would apply to all descendant iframes even those embedded within other iframes
I tried all the approaches from Getting around X-Frame-Options DENY in a Chrome extension?.
This:
{ header: "Content-Security-Policy", operation: "remove" }
removes Content-Security-Policy for the iframe embedded in the extension page. But the iframes embedded in the document inside that iframe still block. See the top right iframe doesn't load in the image below: 
And the error:
Refused to frame https://llxbet.NhosCored.conl because an ancestor violates the following Content Security Policy directive: "frame-ancestors self prod.whoscored.occloud.io prod.whoscored.occloud.io"
Thanks to @woxxom I've been able to get the embedded iframes to load by removing initiatorDomains:[runtimeId] and instead using tabIds:[tabId] and updating session rules instead of dynamic rules:
await browser.declarativeNetRequest.updateSessionRules({
removeRuleIds:[RULE.id],
addRules:[RULE],
})
On a sidenote, I found an unrelated error for my use case that says:
Uncaught SecurityError: Failed to read a named property 'document' from 'Window': Blocked a frame with origin "https://1xbet.whoscored.com" from accessing a cross m-origin frame.
This is the src of the parent iframe embedded in the extension page. I'm not sure if this is something I should worry about.
- Getting around X-Frame-Options DENY in a Chrome extension? (2)
- Do source maps work for Chrome extensions?
- Is it possible to require npm modules in a chrome extension ?
- "Error: `sidePanel.open()` may only be called in response to a user gesture." Received this when open side panel with keyboard shortcut
- Optionally inject Content Script
- WebPRNT Star TSP - google chrome flag "Block insecure private network requests" not work
- Use `chrome.devtools.panels.create()` in Chrome Extension content script
- Chrome Extension: Google Photos API Returns "Insufficient Scopes" Despite Correct Setup
- How to Load Extensions Programmatically in Chrome Version 137+?
- Copy to clipboard in chrome extension V3
- 'unsafe-eval' on chrome extension
- In a Google Drive folder, have an external URL stored as a "file" that when clicked opens an external website
- Get all keys from Chrome Storage
- How to debug crashing Chrome browser extensions?
- What can cause a Chrome browser extension to crash?
- How do I make my code asynchronous ? (Google Chrome Extension)
- How to allow CSP for domains after specific prefix
- --load-extension parameter for chrome doesn't work
- How to download a CRX file from the Chrome web store for a given ID?
- Can you access chrome:// pages from an extension?
- Cannot install any chrome extensions"could not load background cript
- Chrome Extension - manifest.json load all js in folder
- ManifestV3 new promise error: The message port closed before a response was received
- How can i get m3u8 address without devtools-network?
- Can I get access to localStorage of site from chrome extension?
- How to postMessage into iFrame?
- Persistent Service Worker in Chrome Extension
- I lost my userscripts in Tampermonkey. How do I recover them?
- Chrome extension to modify page's script includes and JS
- How to get a content script to load AFTER a page's Javascript has executed?