how to load iframe using contentscript and override xframe - google-chrome-extension

First of all, is there another built in way to do this like webview is in phonegap, so I can load an external site into a div or div like element. I know webview exists for chrome apps, but i couldn't find anything for extensions.
Basically i want to show preview of pages on links..
To do that I am trying to load urls of links using by setting src of iframes using content script. However, for most urls, I get an error that xframe not allowed.
what are my options.

xframe is pretty full proof, however, if you aren't referring to specifically an iframe, you could always use a web-proxy such as node-unblocker for node.js, or miniProxy for PHP.

Related

Where does GoogleCreativeContainerClass come from?

We are having an issue with the following div been injected into our site:
<div class="GoogleCreativeContainerClass" id="gcc_*****" data-creative-load-listener="">
It doesn't seem to break anything apart from ie9. It is getting injected in the middle of an SVG sprite sheet and breaking the SVGs.
I believe it's coming from GTM but we have 300 scripts loaded in via GTM!
Probably you resolve this already, however, and just in case, this is coming from any GTM tag which is displaying ads on your web site.
GTM is generating a list of data-dcm atributes that are used during the ad-render for each ad-placement you have configured.
The only way to avoid this is removing any specific ads that are displayed at your web site, when the browser is IE9 as you mentioned.

How do I make Outlook-addins maintain URL fragments to support single page applications?

I've found that when launching an Outlook add-in, the URL that you configure in the manifest does not persist the fragment URL and this breaks Single Page Applications (SPAs). It works fine if you are just trying to go to the default route of the SPA e.g. index.html but if you try and go directly to a fragment URL (route) within the app then it doesn't work e.g. index.html#mypage
The index.html#mypage actually gets changed to this:
index.html?et=&_host_Info=Outlook|Web|1…_1480636166782|ocii1|https://outlook.office.com/owa/?realm=XYZ.com#&_serializer_version=1mypage&_xdm_Info=-133b2041_-3d735892_1480636166782|ocii1|https://outlook.office.com/owa/?realm=XYZ.com
Further explanation of the issue can be found here:
https://camerondwyer.wordpress.com/2016/12/02/issues-launching-outlook-add-ins-directly-to-a-spa-route-using-fragment-urls/
Moving to HTML5 style URLs is not currently an option for me so routing within the SPA needs to use the Fragment URL (hashbang). I imagine anyone trying to start an add-in and pass parameters in the URL would be seeing a similar problem.

html base tag with different domain from the top domain gives security issue

I've a website which displays and edits the contents of a different web pages like adding css codes to them.
It works like this, i use curl to get the contents of webpages then i edit the content and add base tag with href attribute which points the url that i got the contents of it. Then i put the edited content to an iframe on my website. It was working for a year, but yesterday i noticed an error that google chrome shows me the security warning page.
I've tried so many things to fix this problem but i couldn't fix it. when i use the base tag with different domain from the top domain, it shows the warning page. Do u have any idea how can a pass this problem. I have to use base tag with a different domain from the base tag.
It looks that was google side error :D We contact with them and the problem is fixed :)

How to inject script into a page using bookmarklet if the Content Security Policy is enabled on the server?

I have a bookmarklet which uses jQuery and parses some elements on the page. To use jQuery, i am creating a script tag(with src as the jQuery URL) dynamically and appending to the head tag. This works well for many sites. But, there are few sites like Facebook, for which the bookmarklet is not able to inject the external JS file into the dom.I came to know that this behaviour is because of the response header "Content Security Policy" which prohibits the inclusion of scripts from any other unauthorized domain. This is to prohibit XSS atacks.
I have a genuine case to insert an external JS file into the DOM. Is there any workaround to by pass the Content Security Policy?
Self-contained bookmarklets are another possibility. Here's jQuery 3.3.1.
Take
javascript:(function(){
})();
And fill the empty line with the jQuery source code, for example the contents of https://code.jquery.com/jquery-3.4.1.min.js .
Afterward set it as URL of your bookmark(let).
The spec says (at least I think it still does) that CSP should not prevent bookmarklets, but no browser has implemented this. Your only option is to disable CSP in the browser or use an extension.

Displaying external web pages that do not allow iframe embedding in WinJS

My current understanding is that the only way to display external web pages in the WinJS app is to use iframes. This seems to be a limitation, since I am not able to embed youtube links or twitter search links.
eg. http://www.youtube.com/watch?v=diP-o_JxysA
How do I go about displaying these webpages? Are there any workarounds for this limitation other than the run your own proxy solutions.
You cannot without running your own proxy and modifying the headers, or modifying the headers directly on the host server.
Note that for other types of resources, like login pages that don't like to be iframed (e.g. Salesforce.com), you can use the WebAuthenticationBroker.

Resources