Jozef Maxted

I don’t know if I should have built this and I’m surprised it works, but I figured out a way to bypass x-frame-origin policies by combing a service worker proxy and a server side proxy! Check out the demo video to see it working. I’m building a web scraping tool and I wanted the site you are scraping to appear in an iframe whilst the scraper is configured. Problem is, loads of sites prevent iframe embeds with the x-frame-origin headers. So I ended up going down a bit of rabbit hole trying to get this to work. So I built a super simple proxy endpoint and now I can get the basic HTML to load but the page is really broken broken. All the relative URLs are now hitting the proxy and 404ing and the absolute URLs are are trying to load but still getting blocked by the x-frame-origin policy. So my first thought is let’s try and rewrite all of the relative and absolute URLs from the same domain on the proxy side so they point to the correct proxy URL. So for example if a website has a link to a css file referenced like “/assets/main.css” the proxy will modify the HTML and rewrite it to “example-proxy.com/?url=https://t…” and the same happens for absolute URLs. I temporarily thought I had cracked it, and this actually worked for some basic sites, but the smile was quickly wiped off my face when I tested it with sites built with modern frontend frameworks such as Next or Next. These pesky little buggers load a lot of resources using JavaScript so all the URLs they were using were still broken! Ahhhh that was going to be difficult to fix on the proxy side, searching in all loaded JavaScript files for URLs to rewrite sounded horrible, difficult and maybe impossible. At this point I was pretty close to giving up, and was starting to think about alternative options such as streaming a video of the site from puppetteer in the cloud. The I remembered that service workers can basically act as a client side proxy, with the ability to modify any request on the client side a browser makes. If I could write a service worker that modifies all request to go via my server side proxy it would fix all the issues I had above! It seemed to good to be true! So I went about creating this service worker (with the help of cursor) and then modified my server side proxy code to inject and register the service worker on any page that is requested through it. Annndddd……it worked! I couldn’t believe it but it worked amazingly well, and I can now load any site in a iframe regardless of the owners want it to be! This is super awesome for my scraping tool, but seems very dodgy from a security point of view, surely this is a phishing scammers dream? I can create a proxy to any site and inject whatever scripts I want. Security people is there a way to protect against this?

We've just whipped together a fun demo exploring how to build an AI shopping co-pilot! It's just a little proof of concept showing how you can get an AI bot to take actions on a user's behalf. With a few lines of code the AI can: 🧺 Add items to the shopping basket 📦 Check an order shipping status 🧭 Navigate the user to pages Checkout the demo vid, and read on to see how it works! #ai

I've created an AI meal tracker bot that's way easier to use than my fitness pal and it provides me feedback on whether I'm on target and eating healthy or not. It also logs all my meals in to Notion. did I mention I did this with absolutely no code. #nocode