Search code examples
javascriptgoogle-chromegoogle-chrome-extensionx-frame-optionschrome-extension-manifest-v3

What to do with the permissions in chrome extension based on iframe?

I am making a chrome extension which has an iframe in it. When the extension requests to the server in order to get the page, it returns an error Refused to display 'https://subdomain.example.com/' in a frame because it set 'X-Frame-Options' to 'deny'. Although I have set the x-frame-options to deny in my .htaccess file and added a header('x-frame-options: GOFORIT') in my specific method in my back-end project, it returned another error Refused to display 'https://subdomain.example.com/' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('GOFORIT, DENY'). Falling back to 'deny'. I added webRequest and webRequestBlocking to permissions in my manifest.json file. No luck and it returned 'webRequestBlocking' requires manifest version of 2 or lower and Unchecked runtime.lastError: You do not have permission to use blocking webRequest listeners. Be sure to declare the webRequestBlocking permission in your manifest. So I removed webRequestBlocking from the permissions and added declarativeNetRequest as it is for v3. No result!! Then I added

chrome.webRequest.onHeadersReceived.addListener(
    function(info) {
        var headers = info.responseHeaders;
        for (var i=headers.length-1; i>=0; --i) {
            var header = headers[i].name.toLowerCase();
            if (header == 'x-frame-options' || header == 'frame-options') {
                headers.splice(i, 1); // Remove header
            }
        }
        return {responseHeaders: headers};
    }, {
        urls: [
            '*://*/*', // Pattern to match all http(s) pages
            // '*://*.example.org/*', // Pattern to match one http(s) site
        ], 
        types: [ 'sub_frame' ]
    }, [
        'blocking',
        'responseHeaders',
        // Modern Chrome needs 'extraHeaders' to see and change this header,
        // so the following code evaluates to 'extraHeaders' only in modern Chrome.
        chrome.webRequest.OnHeadersReceivedOptions.EXTRA_HEADERS,
    ].filter(Boolean)
);

to my script.js, it returned Uncaught TypeError: Cannot read properties of undefined (reading 'onHeadersReceived')

What should I do to allow ONLY the extension to request to the server?

Solution

  • As the error message says, one solution is to use "manifest_version": 2 and "webRequestBlocking" in "permissions".

    Another solution is declarativeNetRequest, which is a new API with completely different syntax so you'll have to rewrite your code entirely, here's an example: link.