I have an iframe loading inside an extension page but unfortunately the document inside the iframe embeds its own iframes whose Content-Security-Policy I still can't circumvent with declarativeNetRequest
. I'd like for all x-frame-options and Content-Security-Policy headers of all descendant iframes to be removed.
I expected that sub_frame
in condition.resourceTypes
would apply to all descendant iframes even those embedded within other iframes
I tried all the approaches from Getting around X-Frame-Options DENY in a Chrome extension?.
This:
{ header: "Content-Security-Policy", operation: "remove" }
removes Content-Security-Policy for the iframe embedded in the extension page. But the iframes embedded in the document inside that iframe still block. See the top right iframe doesn't load in the image below:
And the error:
Refused to frame https://llxbet.NhosCored.conl because an ancestor violates the following Content Security Policy directive: "frame-ancestors self prod.whoscored.occloud.io prod.whoscored.occloud.io"
Thanks to @woxxom I've been able to get the embedded iframes to load by removing initiatorDomains:[runtimeId]
and instead using tabIds:[tabId]
and updating session rules instead of dynamic rules:
await browser.declarativeNetRequest.updateSessionRules({
removeRuleIds:[RULE.id],
addRules:[RULE],
})
On a sidenote, I found an unrelated error for my use case that says:
Uncaught SecurityError: Failed to read a named property 'document' from 'Window': Blocked a frame with origin "https://1xbet.whoscored.com" from accessing a cross m-origin frame.
This is the src
of the parent iframe embedded in the extension page. I'm not sure if this is something I should worry about.