Comments (3)
- I'm not sure I fully understand the security issue you're trying to point out. The request headers that the browser sends will only contain data that was set by using the proxy. So, if you sign into GitHub without using the proxy, then access GitHub through the proxy, no GitHub cookie information will be sent because the browser is making requests to the proxy rather than to GitHub. Also, as of right now, miniProxy doesn't actually support cookies; the proxy doesn't persist them between page loads. Adding cookie support would be interesting since the browser always sees the proxy as a single site, but the proxy would need to properly handle cookies across multiple sites without exposing cookies between sites. The only reason I
unset()
specific request headers is because cURL needs to set those headers (and ignore the browser's headers) since cURL is actually talking to the remote server, not the browser. - Nice catch with the port numbers, I've just pushed a fix in adf9810.
- Basic authentication inside URLs appears to work fine for me, so could you elaborate on this issue? The markup
<a href="http://test:[email protected]/password-ok.php">testing basic auth</a>
results in the properly proxied URLhttp://path/to/miniProxy.php/http://test:[email protected]/password-ok.php
, and clicking on the proxied link shows that the server was able to read the basic auth credentials with no issues.
I'll keep this issue closed for now, until there's further action to be taken on it.
Thanks for your feedback!
from miniproxy.
- i run the miniproxy on http://bla.com which requires authentication and uses cookies. so every request to bla.com contains those elements. miniproxy takes all headers and passes them on (without my fix). so in fact if i have a session-id inside the cookie-header, miniproxy passes this session-id on to another server, which is unnecessary. as miniproxy also sets its own url as referer, the target server basically got the the url bla.com and my session-id, which could lead to a security issue...
- basic auth works for the first url, but if you click any link on that, the credentials are gone...
from miniproxy.
- I believe I understand the issue now, but just to make sure: You're saying that you run the proxy at a domain where a DIFFERENT application requiring authentication/cookies also runs? And because they're both sharing the same domain, the browser request headers contain the cookie data for any/all applications associated with that domain, which the proxy is transparently passing through?
- I see what you mean about the basic auth URLs. They were were broken in the same way as the previous port problem. I've pushed 7755481 which fixes that issue.
from miniproxy.
Related Issues (20)
- Can url support base46 encode and decode? HOT 1
- Large amount video not support HOT 3
- Problems with local page redirect. HOT 1
- Is there a way to obscure the URL HOT 1
- HTTPS sites don't work HOT 2
- How do I open miniProxy? HOT 7
- HTTPS are not working HOT 1
- Set custom referer HOT 2
- would you like to make it suit for cloudflare workers? HOT 1
- Question about chunked transfer encoding HOT 3
- Instagram / Twitter doesn't load properly HOT 1
- I want browsing from uk HOT 1
- Redirect URLs which are not on whitelist HOT 2
- File marked as phishing HOT 1
- How does it work? HOT 3
- Need help configuring it with nginx HOT 3
- 404 error in nginx
- Action tags don't work
- SSRF exploit discovered possibly HOT 1
- How to put a whole m3u8 link inside the miniProxy.php? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from miniproxy.