Disable X-Frame-Option on client side

Asked 14/10, 2012 at 11:29 Answered 17/7, 2018 at 7:59

firefox google-chrome client-side x-frame-options

I would like to disbale the X-Frame-Option Header on client side on Firefox(and Chrome). What I've found: Overcoming "Display forbidden by X-Frame-Options" A non-client side solution isn't suitable for my purpose

https://bugzilla.mozilla.org/show_bug.cgi?id=707893 This seems to be pretty close. I tried creating the user.js in the profile dir with the code user_pref("b2g.ignoreXFrameOptions", true); but it didn't work. The second last entry seems to imply compiling ff with modified code? If this is the case, it's also not a possible solution for me.

I just wrote a little HTML Page with some JS that loops a list of YouTube videos by successively loading them into an iframe. I know youtube supports playlists but they suck and I dont want to download the videos. Also, it would be nice if the browser only ignores the X-Frame-Option for local files. This would somewhat minimize the security hole I tear open by disabling this. As for Chrome, a solution would be nice but isn't that important.

I guess another approach would be to intercept incoming TCP/IP packets which contain a HTTP Respone and remove this header line but this is quite an overkill.

[edit] Using youtube.com/embed is a bad workaround since a lot of videos dont allow to be embedded...

Scrivner answered 14/10, 2012 at 11:29 Comment(0)

This can be easily achieved using an HTTP Observer through a Firefox extension. That observer will look something like this:

let myListener =
{
    observe : function (aSubject, aTopic, aData)
    {
        if (aTopic == "http-on-examine-response")
        {
            let channel = aSubject.QueryInterface(Ci.nsIHttpChannel);

            try
            { // getResponseHeader will throw if the header isn't set

                let hasXFO = channel.getResponseHeader('X-Frame-Options');

                if (hasXFO)
                {
                    // Header found, disable it
                    channel.setResponseHeader('X-Frame-Options', '', false);
                }
            }
            catch (e) {}
        }
    }
}

You can find further info such as how to install the observer on MDN[1][2]

[1] : https://developer.mozilla.org/en/docs/Observer_Notifications#HTTP_requests

[2] : https://developer.mozilla.org/en-US/docs/Setting_HTTP_request_headers#Registering

Norvin answered 16/5, 2014 at 20:46 Comment(3)

Further information on other browsers would be helpful aswell! – Pin 23/5, 2014 at 5:59

Both links are dead. – Prosciutto 22/7, 2022 at 13:17

@Prosciutto This answer is 8 years old, and these APIs been deprecated since. – Norvin 24/7, 2022 at 12:5

Using diegocr code, I've created an Firefox add-on to allow the displaying of webpages that have X-Frame-Options in their header, so they will be displayed when accessed via an iframe. It can be downloaded/installed here: https://addons.mozilla.org/en-US/firefox/addon/ignore-x-frame-options/

Ergonomics answered 13/7, 2015 at 19:21 Comment(3)

René Houkema, I tried this but did not solve my case I left info in add-on review section – Condemn 3/2, 2016 at 2:31

@René Houkema I tried it also and didn't work i have printed Error: [$injector:modulerr] Failed to instantiate module demoApp due to... – Proteose 23/5, 2016 at 17:5

@Patrick I wanted the same and found this github.com/psywolf85/Ignore_X-Frame-Options i had mixed results but worked fine for the specific purpose I needed it. – Wharton 16/5, 2018 at 17:28

The Firefox extension mentioned by René Houkema in the other answer no longer works anymore so I created a new one.

https://addons.mozilla.org/fr/firefox/addon/ignore-x-frame-options-header/

This extension is also compatible with Quantum.

Source & updates: https://github.com/ThomazPom/Moz-Ext-Ignore-X-Frame-Options

Necaise answered 17/7, 2018 at 7:59 Comment(0)

Recommended topics

Hot tags