I’m learning Chrome extension development and I’m trying to build a plugin that removes HTTP response headers (I know there are already plenty of these out there, but I just want to practice). However, I stumbled upon something interesting: when it comes to the CSP (Content-Security-Policy) header, this technique seems to fail on some websites. How do these sites manage to bypass my extension’s attempts to remove the CSP header? I’m just really curious about their approach.
I’ve been diving into Chrome extension development, mostly using these resources as my main references: declarativeNetRequest (V3) and webRequest (V2). I coded an extension to remove HTTP response headers, but I found it doesn’t work for certain URLs, like https://teams.live.com/v2/.
So, I tried out some extensions from the market, including Allow CSP and ModHeader. either of these extensions could remove the CSP header from https://teams.live.com/v2/.
I did some research, looking at questions like (Getting around X-Frame-Options DENY in a Chrome extension?), and tried both V2 and V3 APIs based on the answers there. The extension still wasn’t working as expected.
Especially with V2. I even printed the headers in the webRequest.onHeadersReceived listener after removing the CSP header, and the console showed that the response headers no longer contained the CSP. However, when I checked the DevTools, the CSP header was still there. I also ran some injected scripts to verify, and the CSP enforcement was indeed active.
I noticed that https://teams.live.com/v2/ uses a service worker, so I disabled it, but the issue persisted.
I’m using Chrome version 127.0.6533.72, and I’ve also tested with version 122.x, but the issue persisted.
I thought modifying response headers was a common task, but I’ve been stuck on this for days now. Am I missing something?