[Feature-Request] Ignore x-frame-options / content-security-policy header

[kekkc]

Hi,

not directly spoofing, but some possible improvement. Sites can set an x-frame-options header to disable the site from being displayed within a frame. Would be cool if there would be an option in Chameleon directly to disable these headers.

This already exists in a standalone extension:
https://github.com/ThomazPom/Moz-Ext-Ignore-X-Frame-Options/blob/b5f01a048d5b95f04ee5dd90f2cc94e083d239f1/background.js#L4C1-L5C40

Greetz

[sereneblue]

Hi @kekkc, ignoring this header seems like something that would reduce security. I don't think I'll be adding this as a feature to Chameleon, but I am curious, what's the use case for this feature?

[kekkc]

A little inconvenience for me: no possibility in FF to bypass CSP for userscripts that are always injected into iframes (error is logged when some properties like host are called). One of my userscripts also replaces the src of all iframes with a data URI and only allows them when clicked. However almost all sites set x-frame-options, so the iframe is then just showing that FF is "not allowed to load the site".
https://bugzilla.mozilla.org/show_bug.cgi?id=1267027
https://bugzilla.mozilla.org/show_bug.cgi?id=1446231