Affected Tool or Page
Open Graph Inspector (tools/open-graph-inspector.html)
Bug Description
When running locally (via file://) or if the primary backend fetch proxy fails, the fetchPage function falls back to using public CORS proxies:
fetch("https://api.allorigins.win/raw?url=" + encodeURIComponent(url))
fetch("https://corsproxy.io/?" + encodeURIComponent(url))
While this enables client-side URL fetching, it implicitly transmits any URL inspected by a developer (which may include internal development/staging environments or private query tokens/API keys) to external, third-party public services.
Steps to Reproduce
- Open the Open Graph Inspector locally (
file:///.../tools/open-graph-inspector.html).
- Enter a private development URL (e.g.
http://localhost:3000/dashboard?token=xyz).
- Click "Analyze".
- View network requests in DevTools; notice the full private URL is sent to
api.allorigins.win or corsproxy.io.
Expected Behavior
The tool should warn the user before falling back to external public proxies, or require explicit user consent to transmit URLs to third-party servers.
Actual Behavior
The tool automatically falls back to third-party public proxies without warning.
Environment
Any browser, running locally or behind CORS restrictions.
Screenshots
No response
Pre-submission Checklist
Affected Tool or Page
Open Graph Inspector (
tools/open-graph-inspector.html)Bug Description
When running locally (via
file://) or if the primary backend fetch proxy fails, thefetchPagefunction falls back to using public CORS proxies:While this enables client-side URL fetching, it implicitly transmits any URL inspected by a developer (which may include internal development/staging environments or private query tokens/API keys) to external, third-party public services.
Steps to Reproduce
file:///.../tools/open-graph-inspector.html).http://localhost:3000/dashboard?token=xyz).api.allorigins.winorcorsproxy.io.Expected Behavior
The tool should warn the user before falling back to external public proxies, or require explicit user consent to transmit URLs to third-party servers.
Actual Behavior
The tool automatically falls back to third-party public proxies without warning.
Environment
Any browser, running locally or behind CORS restrictions.
Screenshots
No response
Pre-submission Checklist