search

r0x0r / pywebview

Build GUI for your Python program with JavaScript, HTML, and CSS
https://pywebview.flowrl.com
BSD 3-Clause "New" or "Revised" License
4.62k stars 537 forks source link

any way to edit the response headers (or somehow disable X-Frame-Options)? #1371

Open Phouter0499 opened 4 months ago

Phouter0499 commented 4 months ago

Specification

Description

I am trying to load a webpage into an iframe element by simply updating the src attribute. However, I notice I am getting the "Refused to display 'https://www.example.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'." It looks there was a related question where OP asked whether X-Frame-Options can be disabled but he wasn't using the same renderer as I am using. Anyways, I tried to use bottle in someway where I can process the response object before the browser does but I have yet to figure out how.

Practicalities

r0x0r commented 4 months ago

Currently no, but I have been planning to add editing requests and responses. Help is welcomed.

Phouter0499 commented 4 months ago

Hi, thanks for responding but would it be possible for you tell me where to start. I plan on reading the source code and make some quick tricks as a temp bandage solution but it would save me some time if you could point in the right direction...

r0x0r commented 4 months ago

I envision API as follows. Both requests and responses could be accessed via window events, e.g. window.event.request_sent and window.event.response_received. Handlers would have headers: Dict parameter. If a dict is returned from a handler then it would become new headers. window.load_url could have an optional headers param as well. I have created a new headers branch.

As for actual platform specific implementation, googling for "renderername request/response headers" could be a good starting point. For example handling requests for Edge Chromium is described here https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/webresourcerequested?tabs=dotnet. Basically you would attach to a correct handler on the actual webview and call something like 

new_headers = window.event.response_received(headers)
if new_headers:
   #set headers here
else:
  #return original headers

ChatGPT has proved useful when it comes to writing platform specific code. It is especially good when it comes to getting platform specific syntax right.

I am not sure if it is possible to implement editing response headers on every platform. In particular I quickly glanced over macOS and could not find a way to do it.

Phouter0499 commented 4 months ago

So after playing with edgechromium.py, editing the response headers is likely not possible with CoreWebView2. I added 

sender.CoreWebView2.AddWebResourceRequestedFilter('*', CoreWebView2WebResourceContext.All)
sender.CoreWebView2.WebResourceResponseReceived += self.on_web_resource_response

to on_webview_ready function and then tried editing the csp header with on_web_resource_response but it doesn't work:

def on_web_resource_response(self, sender, args):        
    if args.Response.Headers.Contains('content-security-policy'):
        args.Response.Headers.SetHeader('content-security-policy', '')

I also tried adding the --disable-web-security flag but to no avail...

Basically I am going to try one of the following approaches:

  1. Use proxy server
  2. Load extension
  3. Use javascript
r0x0r commented 4 months ago

The example on this page https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/webresourcerequested?tabs=dotnet#overriding-a-response-to-proactively-replace-it creates a new response and assigns it to args.Response. Have you tried it? 

// Add a filter to select all image resources
webView.CoreWebView2.AddWebResourceRequestedFilter(
      "*", CoreWebView2WebResourceContext.Image);
webView.CoreWebView2.WebResourceRequested += delegate (
   object sender, CoreWebView2WebResourceRequestedEventArgs args) {

   // Replace the remote image resource with a local one specified at the path customImagePath.
   // If response is not set, the request will continue as it is.
   FileStream fs = File.Open(customImagePath, FileMode.Open);
   CoreWebView2WebResourceResponse response = webView.CoreWebView2.Environment.CreateWebResourceResponse(fs, 200, "OK", "Content-Type: image/jpeg");
   args.Response = response;
};
Phouter0499 commented 4 months ago

I don't follow as to why that would work. If an iframe tries loading another external website where its csp can't be controlled, then it shouldn't matter what the response was before retrieving that website. Changing the final response doesn't work it looks like.

r0x0r commented 4 months ago

I have not tested it, but to me it looks like args.Response is a setter property, setting which sets header update. Editing headers in place would not achieve the same effect.

github-actions[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

hustshenl commented 1 month ago

is there any page aount WebKit.WKWebView(cocoa)

The example on this page https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/webresourcerequested?tabs=dotnet#overriding-a-response-to-proactively-replace-it creates a new response and assigns it to args.Response. Have you tried it?

// Add a filter to select all image resources
webView.CoreWebView2.AddWebResourceRequestedFilter(
      "*", CoreWebView2WebResourceContext.Image);
webView.CoreWebView2.WebResourceRequested += delegate (
   object sender, CoreWebView2WebResourceRequestedEventArgs args) {

   // Replace the remote image resource with a local one specified at the path customImagePath.
   // If response is not set, the request will continue as it is.
   FileStream fs = File.Open(customImagePath, FileMode.Open);
   CoreWebView2WebResourceResponse response = webView.CoreWebView2.Environment.CreateWebResourceResponse(fs, 200, "OK", "Content-Type: image/jpeg");
   args.Response = response;
};