talk icon indicating copy to clipboard operation
talk copied to clipboard

Published 20 hours ago verified publisher icon coralproject

Ability to supress the X-Frame-Options header

Open McBoof opened this issue 3 years ago • 0 comments
trafficstars

Search Terms

amp,x-frame-options,csp,app,iframe

Suggestion

We are trying to embed the comments into a webview of a native app. However, the app always presents itself to Coral as 'localhost' with a dynamic port. The X-Frame-Options header is preventing this from working, and we'd like a way to disable it.

A change was made to relax the frame-ancestors part of the CSP ([CORL-1658] AMP Configuration #3466) but this doesn't affect X-Frame-Options

We would suggest being able to either:

  • Include '*' as a wildcard domain for the X-Frame-Options check
  • Incude a new setting that prevents the check

The code we'd like to shortcircuit is in csp.ts:

  const frameOptions = generateFrameOptions(req, origins);
  if (frameOptions) {
    res.setHeader("X-Frame-Options", frameOptions);
  }

Use Cases

  • Allow the embedding on comments in a file hosted on a file:// URL
  • Allow the embedding on the comments on a native app that uses webviews from a local cache (for offline) that always present as https://localhost/
  • Allow for apps that use port switching on the requests

McBoof avatar Mar 04 '22 11:03 McBoof