javascript 在 Chrome 扩展中绕过 X-Frame-Options DENY?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15532791/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Getting around X-Frame-Options DENY in a Chrome extension?
提问by Ian McIntyre Silber
I'm the author of Intab, a Chrome extension that lets you view a link inline as opposed to a new tab. There's not much fancy stuff going on behind the scenes, it's just an iframe that loads the URL the user clicked on.
我是Intab的作者,这是一个 Chrome 扩展程序,可让您查看内联链接而不是新选项卡。幕后没有太多花哨的东西,它只是一个加载用户点击的 URL 的 iframe。
It works great except for sites that set the X-Frame-Options header to DENY or SAMEORIGIN. Some really big sites like Google and Facebook both use it which makes for a slightly janky experience.
除了将 X-Frame-Options 标头设置为 DENY 或 SAMEORIGIN 的站点外,它的效果很好。一些非常大的网站,如谷歌和 Facebook 都使用它,这会产生轻微的卡顿体验。
Is there any way to get around this? Since I'm using a Chrome extension, is there any browser level stuff I can access that might help? Looking for any ideas or help!
有什么办法可以解决这个问题吗?由于我使用的是 Chrome 扩展程序,是否有任何我可以访问的浏览器级别的内容可能有帮助?寻找任何想法或帮助!
回答by Rob W
Chrome offers the webRequestAPI to intercept and modify HTTP requests. You can remove the X-Frame-Optionsheader to allow inlining pages within an iframe.
Chrome 提供webRequestAPI 来拦截和修改 HTTP 请求。您可以删除X-Frame-Options标题以允许在 iframe 中内联页面。
chrome.webRequest.onHeadersReceived.addListener(
function(info) {
var headers = info.responseHeaders;
for (var i=headers.length-1; i>=0; --i) {
var header = headers[i].name.toLowerCase();
if (header == 'x-frame-options' || header == 'frame-options') {
headers.splice(i, 1); // Remove header
}
}
return {responseHeaders: headers};
},
{
urls: [ '*://*/*' ], // Pattern to match all http(s) pages
types: [ 'sub_frame' ]
},
['blocking', 'responseHeaders']
);
In the manifest, you need to specify the webRequestand webRequestBlockingpermissions, plus the URLs patterns you're intending to intercept.
在清单中,您需要指定webRequest和webRequestBlocking权限,以及您打算拦截的 URL 模式。
