Chromium Embedded Framework Forum

[chellio]

In my application, main frame's role is to wrapping document that is loaded in inner iframe. Documents are downloaded from third-party sites. In main frame I have defined js functions that interacts with document from iframe. There are also indexeDB functions. Problem is because some sites don't allow to be loaded in iframe, because they send back X-Frame-Options header response, and other restrictions.
My question is, it is possible to change behaviour of iframe to behave like iframe? ( simulate main frame in other words )

I tried also option with CefURLRequest and CefResourceHandler, but I appeared some issues and I think it is big overhead for purporse that I want to achieve.

Greetings.

[fddima]

Of course is possible by many ways.

1. Disable security with switches and/or by direct patching of chromium codebase. Or filter out this headers in chromium networking level.

2.a. Filter response headers. From CEF side i'm know only way is implement own CefResourceHandler, process and provide customized response. Acceptable but has drawbacks (needs handle character encoding itself, some headers are not recognized from handlers now. Any content provided by handlers are not cacheable.)

2.b. Filter response headers. Via custom proxy server.

3. Don't use iframes. Instead any queries to content can be executed by native code over regular browser. So it is big arch change, more native<>js interactions, but you will not use hacks in this case.

All in your hands. For example we have about all listed approaches for our tasks.

But i'm will like to hear new ideas.

[chellio]

4. Inject javascript code. On context creating execute following, and then for example by CefResourceHandler load "https://client.xyz/scripts/general.js". The best option from file to avoid necessity of recompiling. Then interact with script by bindings and IPC or other method.

Code: Select all

        CefString code = "\
            document.addEventListener('readystatechange', function(){               \
                if(document.readyState == 'interactive') {                          \
                    var general = document.createElement('script');                 \
                    general.src = 'https://client.xyz/scripts/general.js';          \
                    document.head.appendChild(general);                             \
                }                                                                   \
            } );                                                                    \
            ";

        frame->ExecuteJavaScript(code,"inj.js", 1);

[fddima]

And how it helps breach security policy?

[chellio]

1. I can now devote main frame to load interesting document -> mitigate X-Frame-Options header that don't allow it. Previously I used main frame to load own document with inner iframe, to load interesting document. Now my script is placed also in main frame, no security restrictions affect it.
2. Mixed-content response header is mitigate by using https script's URL
3. No other restrictions appeared by such inject.

[fddima]

1. Remove neccesity of using iframe to load interesting document -> mitigate X-Frame-Options header that don't allow it. Previously I used main frame to load own document with inner iframe, to load interesting document. Script was placed in own document. Script placed in such place also was affected by security policy.
2. No other restrictions appeared by such inject.

Ah. Last time i'm worked on issue #2005: Executing scripts in restricted contexts, and read topic in other angle (inject own scripts in CSP-constrained documents). Not strictly, but related.