8

Unfortunately I haven't seen a question that asks exactly what I need so I decided to post one.

The problem: I have a chrome extension that loads an iframe sidebar. On initial load, the user needs to login using a google account of their choice. In addition, the same auth flow (ideally) should be presented to the user if they visit the actual site (in a new tab).

I currently use the Google Account Chooser and when using an iframe version of the the site, I run into some issues, mainly:

Refused to display 'https://accounts.google.com/AccountChooser?continue=https://accounts.google…t.com%26from_login%3D1%26as%3D473effc061cc82d5&btmpl=authsub&scc=1&oauth=1' in a frame because it set 'X-Frame-Options' to 'DENY'.

To summarize, what I need is:

  • One auth flow that addresses
    1. login to the site via an iframe and
    2. login to the site in a new tab.
  • Auth flow that allows the user to select a Google account similarly to Account Chooser
diogo
  • 3,769
  • 1
  • 24
  • 30
dipole_moment
  • 5,266
  • 4
  • 39
  • 55
  • Why can't you use the identity API? https://developer.chrome.com/extensions/identity – Pawel Uchida-Psztyc Jan 07 '17 at 12:27
  • 1
    According to this [SO question](http://stackoverflow.com/questions/27358966), you can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource. They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. You can also check this another [SO question](http://stackoverflow.com/questions/6666423) if it can help you. – KENdi Jan 07 '17 at 14:13
  • @KENdi thanks for the feedback but the error I am getting is not related to ``SAMEORIGIN``. In this case, google is allowing the iframe to be accessed in other origins but are saying "You can't use our account chooser auth flow from within an iframe" which is different. – dipole_moment Jan 07 '17 at 20:46
  • @PawełPsztyć The identity auth flow is meant specifically for extensions. I may very well end up using it but I am trying to identify a solution that encompasses auth flow for the extension and for when the user visits the page separately. You see, the extension simply loads a url and I am trying to avoid having different auth flows for each. – dipole_moment Jan 07 '17 at 20:48
  • You can use chrome.webRequest API to strip the X-Frame headers. – wOxxOm Jan 08 '17 at 08:15

0 Answers0