kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2025-06-27 11:50:00 +00:00
Code Issues Projects Releases Wiki Activity

Add option to remove "x-frame-options" and "content-security-policy" response headers (#2963)

Browse Source 
Many users like me do have the problem that they want to embed other
sites to their mirror by "iframe".
As some developers set the "x-frame-options" and
"content-security-policy" for security reasons these sites can not be
embedded.
Electron provides the "webview" element additionally to "iframe" which
allows to embed these sites although. The main difference is that a new
process is started which handles the "webview" element.
BUT: As the "webview" process needs to be started and is isolated
"webview" is slower and the elements can not be accessed from the
embedding website.

As an alternative i implemented a small callback function in electron.js
which removes the response headers that forbid the embedding.

The removing can be controlled with the new config options:
* ignoreXOriginHeader
* ignoreContentSecurityPolicy
This commit is contained in:
Thomas Hirschberger 2022-11-07 07:42:27 +01:00 committed by GitHub
parent 0b01e9dbe0
commit b9b7d2c95d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -19,6 +19,7 @@ Special thanks to: @rejas, @sdetweil, @MagMar94
- Added css class names "today" and "tomorrow" for default calendar - Added css class names "today" and "tomorrow" for default calendar
- Added Collaboration.md - Added Collaboration.md
- Added new github action for dependency review (#2862) - Added new github action for dependency review (#2862)
- Added config options "ignoreXOriginHeader" and "ignoreContentSecurityPolicy"
### Removed ### Removed

14
js/electron.js
View File

@ -103,6 +103,20 @@ function createWindow() {
}, 1000); }, 1000);
}); });
} }
//remove response headers that prevent sites of being embedded into iframes if configured
mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
let curHeaders = details.responseHeaders;
if (config["ignoreXOriginHeader"] || false) {
curHeaders = Object.fromEntries(Object.entries(curHeaders).filter((header) => !/x-frame-options/i.test(header[0])));
}
if (config["ignoreContentSecurityPolicy"] || false) {
curHeaders = Object.fromEntries(Object.entries(curHeaders).filter((header) => !/content-security-policy/i.test(header[0])));
}
callback({ responseHeaders: curHeaders });
});
} }
// This method will be called when Electron has finished // This method will be called when Electron has finished