X-Frame-Options: ALLOW-FROM in firefox and chrome

ALLOW-FROM is not supported in Chrome or Safari. See MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options You are already doing the work to make a custom header and send it with the correct data, can you not just exclude the header when you detect it is from a valid partner and add DENY to every other request? I don’t … Read more

Getting around X-Frame-Options DENY in a Chrome extension?

Chrome offers the webRequest API to intercept and modify HTTP requests. You can remove the X-Frame-Options header to allow inlining pages within an iframe. chrome.webRequest.onHeadersReceived.addListener( function(info) { var headers = info.responseHeaders; for (var i=headers.length-1; i>=0; –i) { var header = headers[i].name.toLowerCase(); if (header == ‘x-frame-options’ || header == ‘frame-options’) { headers.splice(i, 1); // Remove header … Read more