Getting around X-Frame-Options DENY in a Chrome extension?

Chrome offers the webRequest API to intercept and modify HTTP requests. You can remove the X-Frame-Options header to allow inlining pages within an iframe. chrome.webRequest.onHeadersReceived.addListener( function(info) { var headers = info.responseHeaders; for (var i=headers.length-1; i>=0; –i) { var header = headers[i].name.toLowerCase(); if (header == ‘x-frame-options’ || header == ‘frame-options’) { headers.splice(i, 1); // Remove header … Read more

How does Content-Security-Policy work with X-Frame-Options?

The frame-src CSP directive (which is deprecated and replaced by child-src) determines what sources can be used in a frame on a page. The X-Frame-Options response header, on the other hand, determines what other pages can use that page in an iframe. In your case, http://a.com with X-Frame-Options: DENY indicates that no other page can … Read more

X-Frame-Options: ALLOW-FROM in firefox and chrome

ALLOW-FROM is not supported in Chrome or Safari. See MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options You are already doing the work to make a custom header and send it with the correct data, can you not just exclude the header when you detect it is from a valid partner and add DENY to every other request? I don’t … Read more

How to override X-Frame-Options for a controller or action in Rails 4

If you want to remove the header completely, you can create an after_action filter: class FilesController < ApplicationController after_action :allow_iframe, only: :embed def embed end private def allow_iframe response.headers.except! ‘X-Frame-Options’ end end Or, of course, you can code the after_action to set the value to something different: class FacebookController < ApplicationController after_action :allow_facebook_iframe private def … Read more