search

niutech / x-frame-bypass

Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin
https://niutech.github.io/x-frame-bypass/
Apache License 2.0
686 stars 274 forks source link

Undocumented proxies need to be configurable #17

Closed KeithHenry closed 4 years ago

KeithHenry commented 5 years ago

This sends requests by one of 3 external proxies: https://github.com/niutech/x-frame-bypass/blob/855835ec48f92bfc825a88284b17218cb1867f7f/x-frame-bypass.js#L68-L70

This means it won't work on a VPN, isn't suitable for any situation where the other origin is returning sensitive or protected data, and allows hacks from any of those proxy sites should any of them choose to inject JS into the content.

The control needs to allow the proxies to be specified and overwritten.

In addition the documentation needs to make clear that these external proxies are being used and the consequences: only GET works, cookies are not included, unknown 3rd party gets chance to copy the content and add whatever they want before your users run it.

niutech commented 4 years ago

Now you can use the proxies option in load(src, options) method, where you can set a list of your custom proxies.