Unfortunately, this currently does work, but we're planning to remove support for it.

(In reply to Kris Maglione [:kmag] from comment #2) > Unfortunately, this currently does work, I'm not sure what you mean, it doesn't work on Black Menu For Google. > but we're planning to remove support for it. I agree overriding X-Frame-Options is a unsafe thing to do, and the extension author agrees as well. But he says it's the only workaround he found to be able to iframe a website with X-Frame-Options (google website) into his browserAction popup. This is something that works on Chrome. Here are a couple of proposals to support iframing websites with X-Frame-Options: - We could do with a special permission to override those security headers that could be carefully looked at by AMO reviewers on a case-per-case basis. - we could support something like <iframe mozbrowser> or <webview> inside moz-extension:// pages. I doubt this is going to happen though - we could support a new manifest field to allow iframing some specific websites on moz-extension://. Something like: embeddable_websites: ["url pattern 1", "url pattern 2", ...] - we could simply allow moz-extension:// URIs to iframe any website (but not allow contentWindow access into the iframe) without special permissions Kris, what do you think?

(In reply to Tim Nguyen :ntim (use needinfo?) from comment #3) > (In reply to Kris Maglione [:kmag] from comment #2) > > Unfortunately, this currently does work, > > I'm not sure what you mean, it doesn't work on Black Menu For Google. If that's the case, it's probably either because the request doesn't occur in a tab (which we didn't support until recently), or because it was initiated by a moz-extension: principal. > Here are a couple of proposals to support iframing websites with > X-Frame-Options: > - We could do with a special permission to override those security headers > that could be carefully looked at by AMO reviewers on a case-per-case basis. That's the plan, but the Google Black Menu use case is what we're specifically trying to prevent. See bug 1273281. > - we could support something like <iframe mozbrowser> or <webview> inside > moz-extension:// pages. I doubt this is going to happen though It is. See bug 1318532. > Kris, what do you think? I think <iframe mozbrowser> is the correct solution.