C++ Webkit GTK , How to disable cross origin policy?

Question

I'm trying to load http://google.com in iframe with "file://" domained page. Ofcourse i got "Google.com did not allow" error. I already tried reverse proxy but i think reverse proxy does it not make sense.

After then, i'm researched over a few hours about disable or bypass the "Cross origin policy" in webkit gtk.

I tried some solutions in this manual page, https://webkitgtk.org/reference/webkit2gtk/stable/WebKitSettings.html

so, i tried to add this block in WebKitSettings

   WebKitSettings *settings =
    webkit_web_view_get_settings(WEBKIT_WEB_VIEW(webview));
    webkit_settings_set_allow_file_access_from_file_urls(settings, true);
    webkit_settings_set_allow_file_access_from_file_urls(settings,true);

but it does not work. I still can't connect to google.com (or any cors protected website) in iframe.

According to my last research, Webkit GTK manual there is a few little trick about this. It is mentioned as property

(allow-file-access-from-file-urls)

but i can't figure it out how to implement my code.

Editing:

i add this line in my code

webkit_settings_set_allow_universal_access_from_file_urls(settings,true);

now i also got "Connection refused in a frame because it set X-Frame-Options to SAMEORIGIN" error. How can i set it in webkitgtk for cross origin ?

You can't bypass the CORS policy. Your app should be white-listed on the server to which the request is being made (Google in your case). — Debargha Roy, Oct 02 '20 at 15:58

lucasreta · Answer 1 · 2020-10-06T21:34:01.400

As already pointed out in the comments, CORS policy can't be bypassed.

You won't be able to load in an iframe any site that is properly configured to prevent that.

The only way to get around this would be to make a server-side request from a website you own to the website you'd like to display, have your site configured with the correct X-Frame-Options and make it return what it fetched from the site that should be displayed.

A sort of proxy, that still is hugely error-prone.

I made a quick proof of concept in PHP.

At https://lucasreta.com/test/google.com we have the following script, which retrieves the contents of google.com, parses and displays them:

<?php

$url = "https://www.google.com";
$request = curl_init();
curl_setopt_array($request, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTPHEADER => [
    "Content-Type: text/html; charset=UTF-8"
  ]
]);
$return = curl_exec($request);
curl_close($request);

header('Content-Type: text/html; charset=UTF-8');

# after setting headers, we echo the response
# obtained from the site to display and tweak it
# a bit in order to fix local urls
echo str_replace("=\"/", "=\"$url", $return);

And at https://lucasreta.com/test/google.com/iframe we include what is returned above in our iframe:

<style>
* {font-family: sans-serif}
iframe {width: 90%; height: 85vh;}
</style>

<h1>Google in an iframe</h1>

<iframe src="../"></iframe>

This is a good explanation of why this happens, but could you add a bit on how to do it if your iframe page is local (`file://`), and you are displaying it in a WebKitGTK widget? How do you configure it with the correct frame options in that case? — ptomato, Oct 07 '20 at 22:17

C++ Webkit GTK , How to disable cross origin policy?

1 Answers1