I'm creating extension to organize youtube channels using tags. It has angular frontend with url like this
moz-extension://f78b3bd9-a210-41c5-9d8d-9b7ab3717f6e/index.html#/channel/UCtinbF-Q-fVthA0qrFQTgXQ
And I want to embed channel's page using iframe, but security policies doesn't allow me to do that.
Load denied by X-Frame-Options: https://www.youtube.com/ does not permit cross-origin framing.
So I tried to modify X-Frame-Options, but it doesn't change anything(headers aren't added).
What I did:
1 Added permissions to manifest.json:
"webRequest",
"://.youtube.com/",
"://www.youtube.com/*"
2 Wrote some code in background.js
function addFramePermissions(e) {
console.log("Loading url: " + e.url);
var allowedHeaders = [];
for (var header of e.responseHeaders) {
if (header.name.toLowerCase() !== "x-frame-options") {
allowedHeaders.push(header);
} else {
console.log('x-frame-options found!!!');
}
}
e.responseHeaders = allowedHeaders;
return { responseHeaders: e.responseHeaders };
}
browser.webRequest.onHeadersReceived.addListener(
addFramePermissions,
{
urls: [
"*://*.youtube.com/*",
"*://youtube.com/*"
]
},
["blocking", "responseHeaders"]
);
Code reaches function and I can see "x-frame-options found!!!" in console, but firefox's Network Monitor shows that x-frame-options exists with value SAMEORIGIN
I ran my extension in Chrome and Chrome said that I forgot to add "webRequestBlocking" in permissions. Thanks, Chrome!
Related
Context
I'm building a chrome extension that allows users to run automated scripts on 3rd party sites from anywhere on the web. The extension needs the ability to dynamically insert an iframe on any page that the user in on where that iframe is loading a 3rd party site.
The Problem
When I try to load linkedin.com in an iframe from google.com I get the linkedin.com refused to connect. If I look I can see that the x-frame options are still present in the headers while I have confirmed that I've stripped them out in them out.
I've added the following to my extension background script to allow iframes to load in any site
chrome.webRequest.onHeadersReceived.addListener(function (details) {
const headers = details.responseHeaders.filter(header => {
let headerName = header.name.toLowerCase();
return !(headerName === 'content-security-policy' || headerName === 'x-frame-options');
})
if (details.url.includes('linkedin.com')) {
// this console log shows that I've stripped out the necessary headers correctly
console.debug('REMOVED HEADERS: ', headers);
}
return {
responseHeaders: headers
};
}, {
urls: ['<all_urls>']
}, ['blocking', 'responseHeaders']);
I'm using the following code in the console on google.com to insert an iframe loading linkedin.com
(function () {
var iframe = document.createElement('iframe');
iframe.style.position = 'absolute';
iframe.style.zIndex = 100000;
iframe.style.top = 0;
iframe.style.left = 0;
iframe.height = 600;
iframe.width = 900;
iframe.referrerPolicy = 'no-referrer-when-downgrade';
iframe.src = 'https://www.linkedin.com';
document.body.appendChild(iframe);
})();
Here you can see the console log showing the modified headers with x-frame and CSP removed from the iframe request headers
but then the iframe doesn't load. it returns 200 but nothing happens
This actually was working and the Brave shield was preventing the iframe from loading in the page.
Detected potentially suspicious content from the website malware scanner. It showing some code from the scan results:https://scanner.pcrisk.com/detailed_report/pragmaticwebmedia.com#details
But unable to find the script on my site. How to delete the dump code in the above results?
I just tried website scanner and cpanel scan but none helps.
[[ window._wpemojiSettings = { "baseUrl":"https://s.w.org/images/core/emoji/11.2.0/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/11.2.0/svg/","svgExt":".svg","source": { "concatemoji":"https://pragmaticwebmedia.com/wp-includes/js/wp-emoji-release.min.js?ver=5.1.1" } }; !function(a,b,c) { function d(a,b) { var c=String.fromCharCode; l.clearRect(0,0,k.width,k.height),l.fillText(c.apply(this,a),0,0); var d=k.toDataURL(); l.clearRect(0,0,k.width,k.height),l.fillText(c.apply(this,b),0,0); var e=k.toDataURL(); return d===e } function e(a) { var b; if(!l||!l.fillText)return!1; switch(l.textBaseline="top",l.font="600 32px Arial",a) { case"flag":return!(b=d([55356,56826,55356,56819],[55356,56826,8203,55356,56819]))%26%26(b=d([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]),!b); case"emoji":return b=d([55358,56760,9792,65039],[55358,56760,8203,9792,65039]),!b } return!1 } function f(a) { var c=b.createElement("script"); c.src=a,c.defer=c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c) } var g,h,i,j,k=b.createElement("canvas"),l=k.getContext%26%26k.getContext("2d"); for(j=Array("flag","emoji"),c.supports= { everything:!0,everythingExceptFlag:!0 } ,i=0; i]]
Need to find the script location to remove it.
Just... leave it.
It's default WordPress Javascript that make your emoji beautier. The script can be found at WordPress official website: https://twentyfourteendemo.wordpress.com
In case you want to remove it, install a plugin called Disable WP Emoji Icons.
I want to dynamicaly inject and load an iframe inside the background page. But every time, the request is canceled.
http://i.imgur.com/Puto33c.png
That used to work a week ago. I don't know where I'm wrong.
To reproduce this issue, I created a small extension :
manifest.js :
{
"name": "iframe background",
"version": "1.0.0",
"manifest_version": 2,
"browser_action": {
"default_title": "iframe"
},
"background": {
"persistent": false,
"scripts": ["background.js"]
}
}
background.js :
chrome.browserAction.onClicked.addListener(function() {
var iframe = document.createElement('iframe');
iframe.src = 'http://localhost:3000/';
iframe.onload = function() {
console.log(iframe.contentDocument); // return null
};
document.body.appendChild(iframe);
});
The page to load is not blocked by X-Frame-Options SAMEORIGIN.
I tried to put the iframe directly within a HTML background page with no luck.
I also tried to add an content_security_policy :
"content_security_policy": "script-src 'self'; object-src 'self'; frame-src 'self' http://localhost:3000/"
But the iframe still doesn't load.
Does someone has a workaround or a solution to this problem?
Thanks !
Chrome 58.0.3014.0 enables Site Isolation for extensions by default that makes the iframe load in a different renderer process handled by a separate chrome.exe OS process.
The 'canceled' message means that the extension's chrome.exe process canceled the request and it was handled by a different hidden chrome.exe process.
The correct approach is to declare a content script that will automatically run on the iframe URL and communicate to the background page. Note: only JSON-fiable data may be passed, in other words, you can pass innerHTML but not DOM elements. This is easy to handle though via DOMParser.
manifest.json additions:
"content_scripts": [{
"matches": ["http://localhost:3000/*"],
"js": ["iframe.js"],
"run_at": "document_end",
"all_frames": true
}],
iframe.js:
var port = chrome.runtime.connect();
// send something immediately
port.postMessage({html: document.documentElement.innerHTML});
// process any further messages from the background page
port.onMessage.addListener(msg => {
..............
// reply
port.postMessage(anyJSONfiableObject); // not DOM elements!
});
background.js:
var iframePort;
chrome.browserAction.onClicked.addListener(() => {
document.body.insertAdjacentHTML('beforeend',
'<iframe src="http://localhost:3000/"></iframe>');
});
chrome.runtime.onConnect.addListener(port => {
// save in a global variable to access it later from other functions
iframePort = port;
port.onMessage.addListener(msg => {
if (msg.html) {
const doc = new DOMParser().parseFromString(msg.html, 'text/html');
console.log(doc);
alert('Received HTML from the iframe, see the console');
}
});
});
See also a similar QA: content.js in iframe from chrome-extension popup
Is there a WordPress plugin that will enable deep linking to an embedded iframe? I'd like to be able, for example, to tweet a URL to a post that has extra information that will be passed down to the iframe.
An example would be an iframe that plays a video. The extra information in this case might be the time offset to start playing the video.
The extra info could be passed as query params, fragments, or some other way.
Probably not via a WordPress plugin, unless you are looking to develop a custom plugin.
It is best to avoid iframes whenever you can for these reasons.
That said, the solution is pretty simple using the window.postMessage method and works in most browsers, including IE8 and up.
Notes:
All messages should be sent as strings to avoid a nasty bug in IE8/9. If you want to pass an object, pass it in JSON format.
You can't JSON.serialize() the window.location object in IE8. If you are trying to pass that object, you have to copy the properties one by one.
IE only supports el.contentWindow.postMessage(), not el.postMessage().
Outer page
window.onload = function()
{
var child = document.getElementById('deep_link_frame');
var msg = {
"location" : {
"hash" : window.location.hash,
"host" : window.location.host,
"hostname" : window.location.hostname,
"href" : window.location.href,
"origin" : window.location.origin,
"pathname" : window.location.pathname,
"port" : window.location.port,
"protocol" : window.location.protocol,
"search" : window.location.search
}
};
child.contentWindow.postMessage(JSON.stringify(msg), '*');
};
Inner page
function bindEvent(el, eventName, eventHandler)
{
if (el.addEventListener)
{
el.addEventListener(eventName, eventHandler);
}
else
{
el.attachEvent('on' + eventName, eventHandler);
}
}
bindEvent(window, 'message', function(e)
{
if (e.origin === "http://your-domain.com")
{
var message = JSON.parse(e.data);
alert(message.location.href);
}
});
How can I cause Firefox to ignore the Content-Disposition: attachment header?
I find it absolutely annoying that I can't view an image in the browser, because it asks me to download it.
I don't want to download the file, I just want to view it in the browser. If the browser doesn't have a plugin to handle it, then it should ask to download.
E.g. I have Adobe Acrobat Reader installed as a plugin for Firefox. I click a link to a PDF, and it asks me to save it, when it should open in the browser using the plugin. This is the behaviour if the server does not send the Content-Disposition: attachment header in the response.
Firefox 3.6.6
Windows XP SP3
Legacy InlineDisposition 1.0.2.4 by Kai Liu can fix this problem.
In the Classic Add-ons Archive at:
caa:addon/inlinedisposition
The "Open in browser" extension is useful for formats supported natively by the browser, not sure about PDF.
Legacy version 1.18 (for users of browsers such as Waterfox Classic) is in the Classic Add-ons Archive at:
caa:addon/open-in-browser
I also found this tonight that totally prevents Firefox from littering your desktop with downloads. It's actually a redirect fix to the hidden /private/temp folder in MAC. Genius.
You can mimic the Windows behaviour simply by changing [Firefox's]
download directory to /tmp.
To do this, open Firefox's General preferences pane, under Save
Downloaded Files To select [choose].... In the dialog that appears,
hit Shift-Command-G to bring up the Go to Folder dialog.
In this dialog, simply type /tmp, hit OK, then hit Select in the
main window.
Well, that's the purpose of disposition type "attachment".
The default behavior (when the header is absent) should be to display in-line.
Maybe there's a configuration problem in your browser, or the Reader plugin?
For PDFs there is an addon called PDF-Download which overrides any attempt to download a PDF and lets the user decide how they want it downloaded (inline, save, external, etc). You could probably modify it to work for other filetypes too.
You could write a firefox extension that removes the disposition header for PDF files. This would be a fairly simple extension.
Since I was looking for a solution and no available add-on was actually working with my Firefox 31.0 (Ubuntu) I decided to try creating my own add-on.
The code if you want to archive a similar goal or just want to know how it works.
console.log("starting addon to disable content-disposition...");
//getting necessary objects
var {Cc, Ci} = require("chrome");
//creating the observer object which alters the Content-Disposition header to inline
var httpResponseObserver = {
//gets fired whenever a response is getting processed
observe: function(subject, topic, data) {
if (topic == "http-on-examine-response") {
var httpChannel = subject.QueryInterface(Ci.nsIHttpChannel);
httpChannel.setResponseHeader("Content-Disposition", "inline", false);
}
},
//needed for this.observerServer.addObserver --> without addObserver will fail
get observerService() {
return Cc["#mozilla.org/observer-service;1"].getService(Ci.nsIObserverService);
},
//used to register with an observer
register: function() {
console.log("register with an observer to get response-events");
this.observerService.addObserver(this, "http-on-examine-response", false);
},
//used to unregister from the observer
unregister: function() {
console.log("unregister from observer");
this.observerService.removeObserver(this, "http-on-examine-response");
}
};
//gets called at enable or install of the add-on
exports.main = function(options, callbacks) {
console.log("content-dispostion main method got invoked");
//call register to make httpResponseObserver.observe get fired whenever a response gets processed
httpResponseObserver.register();
};
//gets called on disable or uninstall
exports.onUnload = function(reason) {
console.log("content-dispostion unloaded");
//unregister from observer
httpResponseObserver.unregister();
};
/*
//not needed!!! just test code for altering http-request header
var httpRequestObserver =
{
observe: function(subject, topic, data)
{
console.log("in observe...");
console.log("topic is: " + topic);
if (topic == "http-on-modify-request") {
var httpChannel = subject.QueryInterface(Ci.nsIHttpChannel);
httpChannel.setRequestHeader("X-Hello", "World", false);
}
},
get observerService() {
return Cc["#mozilla.org/observer-service;1"].getService(Ci.nsIObserverService);
},
register: function()
{
this.observerService.addObserver(this, "http-on-modify-request", false);
},
unregister: function()
{
this.observerService.removeObserver(this, "http-on-modify-request");
}
};
httpRequestObserver.register();
*/
As an alternative you can get my xpi-File to directly install the add-on in Firefox. If you want to disable the "Content-Disposition" altering just deactivate the add-on ;-).
http://www.file-upload.net/download-9374691/content-disposition_remover.xpi.html