[jayrox]

This is really interesting. I have an idea where this could be helpful to the Plex user community. Recently Plex added a header that blocks the page from being iframed (X-Frame-Options).

Would doing something like this, obviously replacing example.com with their own domain.com, replace the offending header?

  addEventListener('fetch', event => {  
    let request = event.request;
    if (request.headers.has('X-Frame-Options')) {
      let newHeaders = new Headers(request.headers);
      newHeaders.set('X-Frame-Options', 'ALLOW-FROM https://example.com/');
      event.respondWith(fetch(request, {headers: newHeaders}));
    }
  
    // Use default behavior.
    return;
  });

[kentonv]

Yes.

Of course, you could only apply it to your own server.

Also, you would want to think carefully about clickjacking attacks (where someone puts your site in an invisible iframe and tricks people into clicking on it). The X-Frame-Options header was probably added to prevent clickjacking.

[jayrox]

Of course this would be the user's personally hosted server. Typically hidden behind a password and loaded in some sort of HTPC manager like Organizr.

According to reports, Plex' intention was to prevent clickjacking, which is perfectly reasonable but left many of their users from being able to use their Plex servers within the HTPC managers.