Closed Bug 1320543 Opened 8 years ago Closed 8 years ago

Overriding X-Frame-Options doesn't work with web request API

Categories

(WebExtensions :: General, defect)

Product:
WebExtensions
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: ntim, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [parity-chrome])

Attachments

(1 file)

testcase.zip
818 bytes, application/zip
Details 
      No description provided.
Blocks: webextensions-chrome-gaps
Whiteboard: [parity-chrome]
Attached file testcase.zip 

    
    

    
  
Unfortunately, this currently does work, but we're planning to remove support for it.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX

    
    

    
  
(In reply to Kris Maglione [:kmag] from comment #2)
> Unfortunately, this currently does work,

I'm not sure what you mean, it doesn't work on Black Menu For Google.

> but we're planning to remove support for it.
I agree overriding X-Frame-Options is a unsafe thing to do, and the extension author agrees as well. But he says it's the only workaround he found to be able to iframe a website with X-Frame-Options (google website) into his browserAction popup. This is something that works on Chrome.

Here are a couple of proposals to support iframing websites with X-Frame-Options:
- We could do with a special permission to override those security headers that could be carefully looked at by AMO reviewers on a case-per-case basis.

- we could support something like <iframe mozbrowser> or <webview> inside moz-extension:// pages. I doubt this is going to happen though

- we could support a new manifest field to allow iframing some specific websites on moz-extension://.
Something like: embeddable_websites: ["url pattern 1", "url pattern 2", ...]

- we could simply allow moz-extension:// URIs to iframe any website (but not allow contentWindow access into the iframe) without special permissions


Kris, what do you think?
Flags: needinfo?(kmaglione+bmo)

    
    

    
  
(In reply to Tim Nguyen :ntim (use needinfo?) from comment #3)
> (In reply to Kris Maglione [:kmag] from comment #2)
> > Unfortunately, this currently does work,
>
> I'm not sure what you mean, it doesn't work on Black Menu For Google.

If that's the case, it's probably either because the request doesn't occur in
a tab (which we didn't support until recently), or because it was initiated by
a moz-extension: principal.

> Here are a couple of proposals to support iframing websites with
> X-Frame-Options:
> - We could do with a special permission to override those security headers
> that could be carefully looked at by AMO reviewers on a case-per-case basis.

That's the plan, but the Google Black Menu use case is what we're specifically
trying to prevent. See bug 1273281.

> - we could support something like <iframe mozbrowser> or <webview> inside
> moz-extension:// pages. I doubt this is going to happen though

It is. See bug 1318532.

> Kris, what do you think?

I think <iframe mozbrowser> is the correct solution.
Flags: needinfo?(kmaglione+bmo)

    
  
Product: Toolkit → WebExtensions

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: