Closed tripplet closed 3 years ago
bokub
commented
3 years ago Would it be possible to load just load the page and modify it afterwards by injecting code instead of embedding it in an iframe for the popup.
I'm not sure it's even possible, and even if what you're telling me is true, it looks like a lot of work for an issue that only a few people will encounter...
However, feel free to submit a PR or at least a proof of concept and I'll take a look
bokub
commented
3 years ago To be honest, I don't event see the point.
You're concerned about iframes for "security reasons", but you don't mind if my extension has access to the content of your Home Assistant dashboard (+ all other websites you'd visit) ?
bokub
commented
3 years ago Maybe you can just change your headers to allow this extension (not sure it works, tho):
Content-Security-Policy: frame-ancestors 'self' chrome-extension://hpoiflhmfklhfcfpibmdmpeonphmdbda;
tripplet
commented
3 years ago To be honest, I don't event see the point.
You're concerned about iframes for "security reasons", but you don't mind if my extension has access to the content of your Home Assistant dashboard (+ all other websites you'd visit) ?
The difference is for the add-on I'm now setting an explicit exception, otherwise the addon would not be able to do this (hence this issue). The concern is with other (any) websites embedding pages from my server.
The add-on has not access to all other websites I visit as the current permissions do not allow for that. https://github.com/bokub/home-assistant-extension/blob/e869866e732b14f904e0526496c21bc3eedd19fb/assets/manifest.chrome.json#L7 A change in these permissions would require an approval by the user before they become active.
Maybe you can just change your headers to allow this extension (not sure it works, tho):
Content-Security-Policy: frame-ancestors 'self' chrome-extension://hpoiflhmfklhfcfpibmdmpeonphmdbda;
Thanks for looking into the problem, this works but only if I remove the X-Frame-Options header. As the Content-Security-Policy super seeds the X-Frame-Options for newer browsers anyway this works for me.
However, feel free to submit a PR or at least a proof of concept and I'll take a look
A workaround would be to dynamically change the headers received by the add-on but I think this would require the access to all websites permission (as the home assistant URL is chosen by the user) which seems like and overreach for this special problem probably only I have :blush:
Example: xframe_ignore/src/background.js
For security reasons I have set X-Frame-Options and Content-Security-Policy/frame-ancestors to not allow my home-assistant website to be used in an iframe.
The same happens for the popup window. Would it be possible to load just load the page and modify it afterwards by injecting code instead of embedding it in an iframe for the popup. This is something only a browser add-on can do and not a generic website.
Best regards Tobi