How can I bypass CSP/CORS policies on IFrames in browser extensions?

Question

I'm trying to create a simple chrome extension that presents an IFrame with a URL that has CSP and CORS policies. I've heard before that through permissions that you can get with browser extensions, you can bypass these policies.

I've tried many different things ranging from a simple IFrame: <iframe src="https://example.com"></iframe> to using CORS Anywhere and trying to use a proxy. I cannot afford any servers and it seems like any server-side things aren't viable right now.

All of these resulted in the same thing "Example.com refused to connect"

Does anyone know of a way to bypass CSP/CORS through browser extensions? In other words: How do I bypass policies on IFrames in browser extensions? Any help would be appreciated.

Answer 1

Sounds like you want to embed an external frame in an external website. Please note it must be loaded in a frame that is packaged with your extension. This answer has provided a viable example for you to test.

This solution works in most cases, except for one case where Cross-Origin-Embedder-Policy is applied. Check this Chromium issue post for more information. One workaround is to use <iframe credentialless> to help embed third-party iframes that don't set COEP. You can refer to this documentation for more information of embedding iframes in COEP environments.

To conclude, apart from the initial solution, you also need to modify the iframe part in frame.html to <iframe credentialless src="https://example.com/"></iframe>.