Disable X-Frame-Option on client side

firefox google-chrome client-side x-frame-options
Klausi Mausi picture Klausi Mausi · Oct 14, 2012 · Viewed 21.9k times · Source

I would like to disbale the X-Frame-Option Header on client side on Firefox(and Chrome). What I've found: Overcoming "Display forbidden by X-Frame-Options" A non-client side solution isn't suitable for my purpose

https://bugzilla.mozilla.org/show_bug.cgi?id=707893 This seems to be pretty close. I tried creating the user.js in the profile dir with the code user_pref("b2g.ignoreXFrameOptions", true); but it didn't work. The second last entry seems to imply compiling ff with modified code? If this is the case, it's also not a possible solution for me.

I just wrote a little HTML Page with some JS that loops a list of YouTube videos by successively loading them into an iframe. I know youtube supports playlists but they suck and I dont want to download the videos. Also, it would be nice if the browser only ignores the X-Frame-Option for local files. This would somewhat minimize the security hole I tear open by disabling this. As for Chrome, a solution would be nice but isn't that important.

I guess another approach would be to intercept incoming TCP/IP packets which contain a HTTP Respone and remove this header line but this is quite an overkill.

[edit] Using youtube.com/embed is a bad workaround since a lot of videos dont allow to be embedded...

Answer

diegocr picture diegocr · May 16, 2014

This can be easily achieved using an HTTP Observer through a Firefox extension. That observer will look something like this:

let myListener =
{
    observe : function (aSubject, aTopic, aData)
    {
        if (aTopic == "http-on-examine-response")
        {
            let channel = aSubject.QueryInterface(Ci.nsIHttpChannel);

            try
            { // getResponseHeader will throw if the header isn't set

                let hasXFO = channel.getResponseHeader('X-Frame-Options');

                if (hasXFO)
                {
                    // Header found, disable it
                    channel.setResponseHeader('X-Frame-Options', '', false);
                }
            }
            catch (e) {}
        }
    }
}

You can find further info such as how to install the observer on MDN[1][2]

[1] : https://developer.mozilla.org/en/docs/Observer_Notifications#HTTP_requests

[2] : https://developer.mozilla.org/en-US/docs/Setting_HTTP_request_headers#Registering

Related questions

Hide scroll bar, but while still being able to scroll

I want to be able to scroll through the whole page, but without the scrollbar being shown. In Google Chrome it's: ::-webkit-scrollbar { display: none; } But Mozilla Firefox and Internet Explorer don't seem to work like that. I also tried this …

Read More
How to manually send HTTP POST requests from Firefox or Chrome browser?

I want to test some URLs on a web application I'm working on. For that I would like to manually create HTTP POST requests (meaning I can add whatever parameters I like). Is there any extension or functionality in Chrome …

Read More
How to verify an XPath expression in Chrome Developers tool or Firefox's Firebug?

How can I verify my XPath? I am using Chrome Developers tool to inspect the elements and form my XPath. I verify it using the Chrome plugin XPath Checker, however it does not always give me the result. What is …

Read More