-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should warn users about privacy implication #36
Comments
Could u please share non proxy code ? |
Yes, I'm also very curious how you were able to accomplish this without the use of a proxy. Please share! |
Keep in mind this will ONLY work in a Chrome extension context... that is how I was able to drop the use of the proxy. I also ported it to TypeScript to use in Angular and take full advantage of TypeScript compile/IDE checks. Be warned this code is still in development and hasn't been tested a lot. x-frame-bypass.ts is the element class which extends iframe. It uses the fetch API to fetch the files (this step will fail outside of a chrome extension without the permission to fetch that URL) and I adjusted the <base> setting to be more flexible. The chrome.runtime.getURL call is a Chrome extension API and won't work in any other context. The x-frame-bypass-inject.js file is injected into every page and attempts to prevent the frame from navigating, creating a new window instead (which is behavior I want). main.ts is an Angular file which I use to register the x-frame-bypass class so I can use it as a tag in my page. I suppose I could have implemented this as a proper Angular component but I think approach is closer to the original code. https://gist.github.com/The-MAZZTer/64610bb0f80d98314c3f3a906b82408b |
I recommend the README file have a section warning users about possible privacy implications.
All the traffic is routed through a proxy server in order to bypass CORS restrictions. I recommend listing these proxy servers clearly in the README and making it clear all traffic will pass through them even for HTTPS (I think? I don't need the proxy feature so I disabled it for my own use). Also this may weaken CORS security, not sure. If so the user should be notified about the implications so they can make an informed decision about whether x-frame-bypass is a good fit for their project or not.
The text was updated successfully, but these errors were encountered: