Disable X-Frame-Option on client side

问题

I would like to disbale the X-Frame-Option Header on client side on Firefox(and Chrome). What I've found: Overcoming "Display forbidden by X-Frame-Options" A non-client side solution isn't suitable for my purpose

https://bugzilla.mozilla.org/show_bug.cgi?id=707893 This seems to be pretty close. I tried creating the user.js in the profile dir with the code user_pref("b2g.ignoreXFrameOptions", true); but it didn't work. The second last entry seems to imply compiling ff with modified code? If this is the case, it's also not a possible solution for me.

I just wrote a little HTML Page with some JS that loops a list of YouTube videos by successively loading them into an iframe. I know youtube supports playlists but they suck and I dont want to download the videos. Also, it would be nice if the browser only ignores the X-Frame-Option for local files. This would somewhat minimize the security hole I tear open by disabling this. As for Chrome, a solution would be nice but isn't that important.

I guess another approach would be to intercept incoming TCP/IP packets which contain a HTTP Respone and remove this header line but this is quite an overkill.

[edit] Using youtube.com/embed is a bad workaround since a lot of videos dont allow to be embedded...

回答1:

This can be easily achieved using an HTTP Observer through a Firefox extension. That observer will look something like this:

let myListener =
{
    observe : function (aSubject, aTopic, aData)
    {
        if (aTopic == "http-on-examine-response")
        {
            let channel = aSubject.QueryInterface(Ci.nsIHttpChannel);

            try
            { // getResponseHeader will throw if the header isn't set

                let hasXFO = channel.getResponseHeader('X-Frame-Options');

                if (hasXFO)
                {
                    // Header found, disable it
                    channel.setResponseHeader('X-Frame-Options', '', false);
                }
            }
            catch (e) {}
        }
    }
}

You can find further info such as how to install the observer on MDN[1][2]

[1] : https://developer.mozilla.org/en/docs/Observer_Notifications#HTTP_requests

[2] : https://developer.mozilla.org/en-US/docs/Setting_HTTP_request_headers#Registering

回答2:

Using diegocr code, I've created an Firefox add-on to allow the displaying of webpages that have X-Frame-Options in their header, so they will be displayed when accessed via an iframe. It can be downloaded/installed here: https://addons.mozilla.org/en-US/firefox/addon/ignore-x-frame-options/

回答3:

The Firefox extension mentioned by René Houkema in the other answer above no longer works anymore so I created a new one.

https://addons.mozilla.org/fr/firefox/addon/ignore-x-frame-options-header/

This extension is also compatible with Quantum.

Source & updates: https://github.com/ThomazPom/Moz-Ext-Ignore-X-Frame-Options

来源：https://stackoverflow.com/questions/12881789/disable-x-frame-option-on-client-side