RangerMauve
commented
1 year ago I'm gonna take inspo from navigator.registerProtocolHandler and register it as https+raw.
I also won't enable it for non-https origins to avoid some obvious attacks that can be performed on local networks.
Generally I think this should be used for bypassing CORS on corporate sites like Youtube / Google / Twitter and giving apps a chance to scrape data that would otherwise require a server.
I'm hoping this won't break the security model too hard since I've set it to not send credentials by default so your cookies and stuff should be safe from apps and you'd need to explicitly give an app a cookie or some sort of API token for it to impersonate you.
It would be useful to have a new protocol handler which is like
http://orhttps://but without CORS or cookies (and maybe only available to apps rather than top level?)It might look something like
raw+https://orunsafe+https://and could be used from any origin.The caveat is that cookies would not be persisted per origin and CORS headers would be stripped so that any app can make requests to any URL.
This would enable web apps to work similarly to native apps which can make requests to any domain they want without accidentally revealing other data.
Some worries here is making requests to localhost and local network domains which can lead to malicious apps being able to do really sussy things.
Also, custom port still don't work with protocol handlers in Electron so we'd be limited to servers running on default ports.
This still enables stuff like scraping Youtube data or RSS readers that don't need to worry about CORS.
IIRC cookies could be passed in as regular headers, but I'll need to double check that.