在 Chrome 扩展中绕过 X-Frame-Options DENY? [英] Getting around X-Frame-Options DENY in a Chrome extension?

问题描述

我是 Intab 的作者，这是一个 Chrome 扩展程序，可让您查看内联链接，而不是一个新标签.幕后没有太多花哨的东西，它只是一个加载用户点击的 URL 的 iframe.

I'm the author of Intab, a Chrome extension that lets you view a link inline as opposed to a new tab. There's not much fancy stuff going on behind the scenes, it's just an iframe that loads the URL the user clicked on.

除了将 X-Frame-Options 标头设置为 DENY 或 SAMEORIGIN 的网站外，它的效果很好.谷歌和 Facebook 等一些非常大的网站都在使用它，这会带来轻微的卡顿体验.

It works great except for sites that set the X-Frame-Options header to DENY or SAMEORIGIN. Some really big sites like Google and Facebook both use it which makes for a slightly janky experience.

有什么办法可以解决这个问题吗?由于我使用的是 Chrome 扩展程序，是否有任何我可以访问的浏览器级别的内容可能有帮助?寻求任何想法或帮助！

Is there any way to get around this? Since I'm using a Chrome extension, is there any browser level stuff I can access that might help? Looking for any ideas or help!

推荐答案

Chrome 提供了 webRequest API 来拦截和修改 HTTP 请求.您可以删除 X-Frame-Options 标头以允许在 iframe 中内联页面.

Chrome offers the webRequest API to intercept and modify HTTP requests. You can remove the X-Frame-Options header to allow inlining pages within an iframe.

chrome.webRequest.onHeadersReceived.addListener(
    function(info) {
        var headers = info.responseHeaders;
        for (var i=headers.length-1; i>=0; --i) {
            var header = headers[i].name.toLowerCase();
            if (header == 'x-frame-options' || header == 'frame-options') {
                headers.splice(i, 1); // Remove header
            }
        }
        return {responseHeaders: headers};
    }, {
        urls: [
            '*://*/*', // Pattern to match all http(s) pages
            // '*://*.example.org/*', // Pattern to match one http(s) site
        ], 
        types: [ 'sub_frame' ]
    }, [
        'blocking',
        'responseHeaders',
        // Modern Chrome needs 'extraHeaders' to see and change this header,
        // so the following code evaluates to 'extraHeaders' only in modern Chrome.
        chrome.webRequest.OnHeadersReceivedOptions.EXTRA_HEADERS,
    ].filter(Boolean)
);

在清单中，您需要指定 webRequest 和 webRequestBlocking 权限，以及 URL 模式 你打算拦截即 "*://*/*" 或 "*://www.example.org/*" 对于上面的例子.

In the manifest, you need to specify the webRequest and webRequestBlocking permissions, plus the URLs patterns you're intending to intercept i.e. "*://*/*" or "*://www.example.org/*" for the example above.

这篇关于在 Chrome 扩展中绕过 X-Frame-Options DENY?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！