any way to edit the response headers (or somehow disable X-Frame-Options)?

[Phouter0499]

Specification

• pywebview version: 5.1
• operating system: Windows 11
• web renderer: EdgeChromium

Description

I am trying to load a webpage into an iframe element by simply updating the src attribute. However, I notice I am getting the "Refused to display 'https://www.example.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'."
It looks there was a related question where OP asked whether X-Frame-Options can be disabled but he wasn't using the same renderer as I am using. Anyways, I tried to use bottle in someway where I can process the response object before the browser does but I have yet to figure out how.

Practicalities

• YES/NO I am willing to work on this issue myself.
  YES
• YES/NO I am prepared to support this issue financially.
  NO

[r0x0r]

Currently no, but I have been planning to add editing requests and responses. Help is welcomed.

[Phouter0499]

Hi, thanks for responding but would it be possible for you tell me where to start. I plan on reading the source code and make some quick tricks as a temp bandage solution but it would save me some time if you could point in the right direction...

[r0x0r]

I envision API as follows. Both requests and responses could be accessed via window events, e.g. window.event.request_sent and window.event.response_received. Handlers would have headers: Dict parameter. If a dict is returned from a handler then it would become new headers. window.load_url could have an optional headers param as well. I have created a new headers branch.

As for actual platform specific implementation, googling for "renderername request/response headers" could be a good starting point. For example handling requests for Edge Chromium is described here https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/webresourcerequested?tabs=dotnet. Basically you would attach to a correct handler on the actual webview and call something like

new_headers = window.event.response_received(headers)
if new_headers:
   #set headers here
else:
  #return original headers

ChatGPT has proved useful when it comes to writing platform specific code. It is especially good when it comes to getting platform specific syntax right.

I am not sure if it is possible to implement editing response headers on every platform. In particular I quickly glanced over macOS and could not find a way to do it.

[Phouter0499]

So after playing with edgechromium.py, editing the response headers is likely not possible with CoreWebView2.
I added

sender.CoreWebView2.AddWebResourceRequestedFilter('*', CoreWebView2WebResourceContext.All)
sender.CoreWebView2.WebResourceResponseReceived += self.on_web_resource_response

to on_webview_ready function and then tried editing the csp header with on_web_resource_response but it doesn't work:

def on_web_resource_response(self, sender, args):        
    if args.Response.Headers.Contains('content-security-policy'):
        args.Response.Headers.SetHeader('content-security-policy', '')

I also tried adding the --disable-web-security flag but to no avail...

Basically I am going to try one of the following approaches:

1. Use proxy server
2. Load extension
3. Use javascript

[r0x0r]

The example on this page https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/webresourcerequested?tabs=dotnet#overriding-a-response-to-proactively-replace-it creates a new response and assigns it to args.Response. Have you tried it?

// Add a filter to select all image resources
webView.CoreWebView2.AddWebResourceRequestedFilter(
      "*", CoreWebView2WebResourceContext.Image);
webView.CoreWebView2.WebResourceRequested += delegate (
   object sender, CoreWebView2WebResourceRequestedEventArgs args) {
    
   // Replace the remote image resource with a local one specified at the path customImagePath.
   // If response is not set, the request will continue as it is.
   FileStream fs = File.Open(customImagePath, FileMode.Open);
   CoreWebView2WebResourceResponse response = webView.CoreWebView2.Environment.CreateWebResourceResponse(fs, 200, "OK", "Content-Type: image/jpeg");
   args.Response = response;
};

[Phouter0499]

I don't follow as to why that would work. If an iframe tries loading another external website where its csp can't be controlled, then it shouldn't matter what the response was before retrieving that website. Changing the final response doesn't work it looks like.

[r0x0r]

I have not tested it, but to me it looks like args.Response is a setter property, setting which sets header update. Editing headers in place would not achieve the same effect.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[hustshenl]

is there any page aount WebKit.WKWebView(cocoa)

The example on this page https://learn.microsoft.com/en-us/microsoft-edge/webview2/how-to/webresourcerequested?tabs=dotnet#overriding-a-response-to-proactively-replace-it creates a new response and assigns it to args.Response. Have you tried it?

// Add a filter to select all image resources
webView.CoreWebView2.AddWebResourceRequestedFilter(
      "*", CoreWebView2WebResourceContext.Image);
webView.CoreWebView2.WebResourceRequested += delegate (
   object sender, CoreWebView2WebResourceRequestedEventArgs args) {
    
   // Replace the remote image resource with a local one specified at the path customImagePath.
   // If response is not set, the request will continue as it is.
   FileStream fs = File.Open(customImagePath, FileMode.Open);
   CoreWebView2WebResourceResponse response = webView.CoreWebView2.Environment.CreateWebResourceResponse(fs, 200, "OK", "Content-Type: image/jpeg");
   args.Response = response;
};