I'm writing a chrome extension that like intab loads links in an inline iframe, it works great except for sites that set the X-Frame-Options header to DENY or SAMEORIGIN.
In this Question a working solution provided for the case where the HTTP header contains X-Frame-Options property. But, X-Frame-Options can also be set in a element in the HTML .
Is there a way to remove this element before it's being loaded by chrome?
<meta name="X-frame-options"/>There is no such thing as <meta name="X-Frame-Options">.
And, manipulating the DOM before chrome loads it, is also not possible.
Chrome loads a page, and then creates the dom.
x-frame-options then?X-frame-options are server-side set http headers.
They are part of the security protection (e.g. against clickjacking). Chrome or any other browser will not let you ignore/change it. Period.
Side note:if it's your site, you can change x-frame-options per PHP.
Side note #2: the only way to do this is XSS. I'm pretty sure you don't want to do that.
