Closed
Bug 1320543
Opened 8 years ago
Closed 8 years ago
Overriding X-Frame-Options doesn't work with web request API
Categories
(WebExtensions :: General, defect)
WebExtensions
General
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: ntim, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [parity-chrome])
Attachments
(1 file)
(deleted),
application/zip
|
Details |
No description provided.
Reporter | ||
Updated•8 years ago
|
Blocks: webextensions-chrome-gaps
Whiteboard: [parity-chrome]
Reporter | ||
Comment 1•8 years ago
|
||
Comment 2•8 years ago
|
||
Unfortunately, this currently does work, but we're planning to remove support for it.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 3•8 years ago
|
||
(In reply to Kris Maglione [:kmag] from comment #2)
> Unfortunately, this currently does work,
I'm not sure what you mean, it doesn't work on Black Menu For Google.
> but we're planning to remove support for it.
I agree overriding X-Frame-Options is a unsafe thing to do, and the extension author agrees as well. But he says it's the only workaround he found to be able to iframe a website with X-Frame-Options (google website) into his browserAction popup. This is something that works on Chrome.
Here are a couple of proposals to support iframing websites with X-Frame-Options:
- We could do with a special permission to override those security headers that could be carefully looked at by AMO reviewers on a case-per-case basis.
- we could support something like <iframe mozbrowser> or <webview> inside moz-extension:// pages. I doubt this is going to happen though
- we could support a new manifest field to allow iframing some specific websites on moz-extension://.
Something like: embeddable_websites: ["url pattern 1", "url pattern 2", ...]
- we could simply allow moz-extension:// URIs to iframe any website (but not allow contentWindow access into the iframe) without special permissions
Kris, what do you think?
Flags: needinfo?(kmaglione+bmo)
Comment 4•8 years ago
|
||
(In reply to Tim Nguyen :ntim (use needinfo?) from comment #3)
> (In reply to Kris Maglione [:kmag] from comment #2)
> > Unfortunately, this currently does work,
>
> I'm not sure what you mean, it doesn't work on Black Menu For Google.
If that's the case, it's probably either because the request doesn't occur in
a tab (which we didn't support until recently), or because it was initiated by
a moz-extension: principal.
> Here are a couple of proposals to support iframing websites with
> X-Frame-Options:
> - We could do with a special permission to override those security headers
> that could be carefully looked at by AMO reviewers on a case-per-case basis.
That's the plan, but the Google Black Menu use case is what we're specifically
trying to prevent. See bug 1273281.
> - we could support something like <iframe mozbrowser> or <webview> inside
> moz-extension:// pages. I doubt this is going to happen though
It is. See bug 1318532.
> Kris, what do you think?
I think <iframe mozbrowser> is the correct solution.
Flags: needinfo?(kmaglione+bmo)
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•