Proof of concept of ignoring x-frame-options for sign-in webui.

chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.h"
 
 #include <string>
 
 #include "base/base64.h"
 #include "base/logging.h"
@@ skipping 19 matching lines @@
 #include "chrome/browser/profiles/profile_io_data.h"
 #include "chrome/browser/renderer_host/safe_browsing_resource_throttle_factory.h"
 #include "chrome/browser/safe_browsing/safe_browsing_service.h"
 #include "chrome/browser/signin/signin_header_helper.h"
 #include "chrome/browser/ui/auto_login_prompter.h"
 #include "chrome/browser/ui/login/login_prompt.h"
 #include "chrome/browser/ui/sync/one_click_signin_helper.h"
 #include "chrome/common/extensions/extension_constants.h"
 #include "chrome/common/extensions/mime_types_handler.h"
 #include "chrome/common/render_messages.h"
+#include "chrome/common/url_constants.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/resource_context.h"
 #include "content/public/browser/resource_dispatcher_host.h"
 #include "content/public/browser/resource_request_info.h"
 #include "content/public/browser/stream_handle.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/resource_response.h"
@@ skipping 534 matching lines @@
   GURL webstore_url(extension_urls::GetWebstoreLaunchURL());
   if (request->url().DomainIs(webstore_url.host().c_str())) {
     net::HttpResponseHeaders* response_headers = request->response_headers();
     if (!response_headers->HasHeaderValue("x-frame-options", "deny") &&
         !response_headers->HasHeaderValue("x-frame-options", "sameorigin")) {
       response_headers->RemoveHeader("x-frame-options");
       response_headers->AddHeader("x-frame-options: sameorigin");
     }
   }
 
+  if (request->first_party_for_cookies().SchemeIs(chrome::kChromeUIScheme) &&
+      request->first_party_for_cookies().host() == chrome::kChromeSigninHost) {
+    net::HttpResponseHeaders* response_headers = request->response_headers();
+    if (response_headers->HasHeader("x-frame-options"))
+      response_headers->RemoveHeader("x-frame-options");
+  }
+
   prerender::URLRequestResponseStarted(request);
 }
 
 void ChromeResourceDispatcherHostDelegate::OnRequestRedirected(
     const GURL& redirect_url,
     net::URLRequest* request,
     content::ResourceContext* resource_context,
     content::ResourceResponse* response) {
   ProfileIOData* io_data = ProfileIOData::FromResourceContext(resource_context);
   const ResourceRequestInfo* info = ResourceRequestInfo::ForRequest(request);
@@ skipping 16 matching lines @@
   signin::AppendMirrorRequestHeaderIfPossible(request, redirect_url, io_data,
       info->GetChildID(), info->GetRouteID());
 }
 
 // static
 void ChromeResourceDispatcherHostDelegate::
     SetExternalProtocolHandlerDelegateForTesting(
     ExternalProtocolHandler::Delegate* delegate) {
   g_external_protocol_handler_delegate = delegate;
 }