any way to edit the response headers (or somehow disable X-Frame-Options)? #1371
Comments
|
Currently no, but I have been planning to add editing requests and responses. Help is welcomed. |
|
Hi, thanks for responding but would it be possible for you tell me where to start. I plan on reading the source code and make some quick tricks as a temp bandage solution but it would save me some time if you could point in the right direction... |
|
I envision API as follows. Both requests and responses could be accessed via window events, e.g. As for actual platform specific implementation, googling for "renderername request/response headers" could be a good starting point. For example handling requests for Edge Chromium is described here https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/webresourcerequested?tabs=dotnet. Basically you would attach to a correct handler on the actual webview and call something like ChatGPT has proved useful when it comes to writing platform specific code. It is especially good when it comes to getting platform specific syntax right. I am not sure if it is possible to implement editing response headers on every platform. In particular I quickly glanced over macOS and could not find a way to do it. |
|
So after playing with edgechromium.py, editing the response headers is likely not possible with CoreWebView2. sender.CoreWebView2.AddWebResourceRequestedFilter('*', CoreWebView2WebResourceContext.All)
sender.CoreWebView2.WebResourceResponseReceived += self.on_web_resource_responseto on_webview_ready function and then tried editing the csp header with on_web_resource_response but it doesn't work: def on_web_resource_response(self, sender, args):
if args.Response.Headers.Contains('content-security-policy'):
args.Response.Headers.SetHeader('content-security-policy', '')I also tried adding the --disable-web-security flag but to no avail... Basically I am going to try one of the following approaches:
|
|
The example on this page https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/webresourcerequested?tabs=dotnet#overriding-a-response-to-proactively-replace-it creates a new response and assigns it to // Add a filter to select all image resources
webView.CoreWebView2.AddWebResourceRequestedFilter(
"*", CoreWebView2WebResourceContext.Image);
webView.CoreWebView2.WebResourceRequested += delegate (
object sender, CoreWebView2WebResourceRequestedEventArgs args) {
// Replace the remote image resource with a local one specified at the path customImagePath.
// If response is not set, the request will continue as it is.
FileStream fs = File.Open(customImagePath, FileMode.Open);
CoreWebView2WebResourceResponse response = webView.CoreWebView2.Environment.CreateWebResourceResponse(fs, 200, "OK", "Content-Type: image/jpeg");
args.Response = response;
}; |
|
I don't follow as to why that would work. If an iframe tries loading another external website where its csp can't be controlled, then it shouldn't matter what the response was before retrieving that website. Changing the final response doesn't work it looks like. |
|
I have not tested it, but to me it looks like |
Specification
Description
I am trying to load a webpage into an iframe element by simply updating the src attribute. However, I notice I am getting the "Refused to display 'https://www.example.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'."
It looks there was a related question where OP asked whether X-Frame-Options can be disabled but he wasn't using the same renderer as I am using. Anyways, I tried to use bottle in someway where I can process the response object before the browser does but I have yet to figure out how.
Practicalities
YES
NO
The text was updated successfully, but these errors were encountered: