Leave your name here just by visiting the project

Serious about the title. This is your only warning.

Project URL: https://island-foamy-paperback.glitch.me/

This project combines two things about Glitch:

  1. Any site can embed a Glitch project.
  2. Anyone can see who’s viewing a (public) project in the corner of the editor.

I found out about this when I saw an embed in the Glitch blog.

14 Likes

This my friend, is absolutely genious, you just gave me a whole lot of ideas! Good work!

6 Likes

This
Is
Awesome

2 Likes

I bet one of them is going to be an analytical counter or similar.

2 Likes

Can you make of the embed hidden. So no people will see?

Yeah, you should be able to use some CSS to hide it, the iframe element probably has some neat attributes to hide it too.

6 Likes
iframe
{
  display: none;
}

Code above should do the trick, but I’m no frontend dev.

3 Likes

It will.

5 Likes

Yes

How does this project work? Does it scrape the embed for a user or something?

You can just try yeeting it somewhere else haha:

iframe {
position:fixed;
opacity:0;
left:1000000000000000px;
}

well, the opacity 0 probably does the trick lol

1 Like

Guys, I’m pretty sure @wh0 or @ihack2712 or whoever is creating stuff with the embed will definitely know how to hide an element with CSS, let’s not sweat about the CSS and let’s focus on how awesome this thing is and how you could create amazing projects and concepts with this.

Why do all this hard work, just add display: none.

3 Likes

This is just awesome, here’s a bump from me!

@glitch_support since this is possible, doesn’t this also expose users to CSRF? Or does Glitch apply the X-Frame-Options header in the API?

Took a look at Glitch’s headers and they don’t have a X-Frame-Options on glitch.com/edit/*.

I suspect they don’t have this header is that Glitch is suppose to be Iframed (glitch allows embeds on websites).

That is really dangerous and is a security vulnerability, see https://owasp.org/www-community/attacks/csrf

They can still allow iframes on such things as an editor and stuff, but should limit all dangerous api endpoints

3 Likes

Agreed! They should also consider a robots.txt file on glitch.com and api.glitch.com as I can think of a few pages that probably shouldn’t be crawled.

2 Likes