我有一个Chrome扩展,它运行得很好,最近(似乎是Chrome 90(坏了。该扩展将把一些页面加载到IFRAMES中,并删除响应x-frame-options标头,这样即使是设置了标头以防止被IFRAMED的站点也可以是IFRAMED。background.js中执行此操作的代码如下。
然而,从Chrome 90及以上版本开始,这不再有效,因为我得到了一个";站点拒绝连接";每个IFRAMES中的错误。有新的方法吗?
function stripHeaders(headers) {
return headers.filter(header => {
let headerName = header.name.toLowerCase();
return !(headerName === 'content-security-policy' || headerName === 'x-frame-options' || headerName === 'permissions-policy' || headerName === 'x-xss-protection' || headerName === 'x-content-type-options' || headerName === 'strict-transport-security' || headerName === 'expect-ct' || headerName === "expires" || headerName === "cache-control" || headerName === "pragma" || headerName == "cf-cache-status" || headerName == "cf-ray" || headerName == "cf-request-id" || headerName === "content-ecoding");
})
}
chrome.webRequest.onHeadersReceived.addListener(
function(details) {
console.log(stripHeaders(details.responseHeaders));
return {
responseHeaders: stripHeaders(details.responseHeaders)
};
}, {
urls: ["<all_urls>"]
}, ["blocking", "responseHeaders"]);
好吧,几分钟后我找到了答案。似乎已经改变的关键是需要将extraHeaders添加到";"阻塞";以及";responseHeaders"此外,如果您还没有(我是(,那么必须将内容安全策略作为要删除的标头之一,以及x帧选项。其他标题无关紧要。为了证明这一点,我在github上查看了一个名为xframe_ignore的Chrome扩展的代码(https://github.com/guilryder/chrome-extensions/tree/main/xframe_ignore)。
function stripHeaders(headers) {
return headers.filter(header => {
let headerName = header.name.toLowerCase();
return !(headerName === 'content-security-policy' || headerName === 'x-frame-options' || headerName === 'permissions-policy' || headerName === 'x-xss-protection' || headerName === 'x-content-type-options' || headerName === 'strict-transport-security' || headerName === 'expect-ct' || headerName === "expires" || headerName === "cache-control" || headerName === "pragma" || headerName == "cf-cache-status" || headerName == "cf-ray" || headerName == "cf-request-id" || headerName === "content-ecoding");
})
}
chrome.webRequest.onHeadersReceived.addListener(
function(details) {
console.log(stripHeaders(details.responseHeaders));
return {
responseHeaders: stripHeaders(details.responseHeaders)
};
}, {
urls: ["<all_urls>"]
}, ["blocking", "responseHeaders", "extraHeaders"]);