Closed
Bug 1320543
Opened 8 years ago
Closed 8 years ago
Overriding X-Frame-Options doesn't work with web request API
Categories
(WebExtensions :: General, defect)
WebExtensions
General
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: ntim, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [parity-chrome])
Attachments
(1 file)
818 bytes,
application/zip
|
Details |
No description provided.
Reporter | ||
Updated•8 years ago
|
Blocks: webextensions-chrome-gaps
Whiteboard: [parity-chrome]
Reporter | ||
Comment 1•8 years ago
|
||
Comment 2•8 years ago
|
||
Unfortunately, this currently does work, but we're planning to remove support for it.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 3•8 years ago
|
||
(In reply to Kris Maglione [:kmag] from comment #2) > Unfortunately, this currently does work, I'm not sure what you mean, it doesn't work on Black Menu For Google. > but we're planning to remove support for it. I agree overriding X-Frame-Options is a unsafe thing to do, and the extension author agrees as well. But he says it's the only workaround he found to be able to iframe a website with X-Frame-Options (google website) into his browserAction popup. This is something that works on Chrome. Here are a couple of proposals to support iframing websites with X-Frame-Options: - We could do with a special permission to override those security headers that could be carefully looked at by AMO reviewers on a case-per-case basis. - we could support something like <iframe mozbrowser> or <webview> inside moz-extension:// pages. I doubt this is going to happen though - we could support a new manifest field to allow iframing some specific websites on moz-extension://. Something like: embeddable_websites: ["url pattern 1", "url pattern 2", ...] - we could simply allow moz-extension:// URIs to iframe any website (but not allow contentWindow access into the iframe) without special permissions Kris, what do you think?
Flags: needinfo?(kmaglione+bmo)
Comment 4•8 years ago
|
||
(In reply to Tim Nguyen :ntim (use needinfo?) from comment #3) > (In reply to Kris Maglione [:kmag] from comment #2) > > Unfortunately, this currently does work, > > I'm not sure what you mean, it doesn't work on Black Menu For Google. If that's the case, it's probably either because the request doesn't occur in a tab (which we didn't support until recently), or because it was initiated by a moz-extension: principal. > Here are a couple of proposals to support iframing websites with > X-Frame-Options: > - We could do with a special permission to override those security headers > that could be carefully looked at by AMO reviewers on a case-per-case basis. That's the plan, but the Google Black Menu use case is what we're specifically trying to prevent. See bug 1273281. > - we could support something like <iframe mozbrowser> or <webview> inside > moz-extension:// pages. I doubt this is going to happen though It is. See bug 1318532. > Kris, what do you think? I think <iframe mozbrowser> is the correct solution.
Flags: needinfo?(kmaglione+bmo)
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•