Skip to content

Bug: Inspected URLs leaked to public third-party proxies on fetch failure #354

Description

@devprashant19

Affected Tool or Page

Open Graph Inspector (tools/open-graph-inspector.html)

Bug Description

When running locally (via file://) or if the primary backend fetch proxy fails, the fetchPage function falls back to using public CORS proxies:

fetch("https://api.allorigins.win/raw?url=" + encodeURIComponent(url))
fetch("https://corsproxy.io/?" + encodeURIComponent(url))

While this enables client-side URL fetching, it implicitly transmits any URL inspected by a developer (which may include internal development/staging environments or private query tokens/API keys) to external, third-party public services.

Steps to Reproduce

  1. Open the Open Graph Inspector locally (file:///.../tools/open-graph-inspector.html).
  2. Enter a private development URL (e.g. http://localhost:3000/dashboard?token=xyz).
  3. Click "Analyze".
  4. View network requests in DevTools; notice the full private URL is sent to api.allorigins.win or corsproxy.io.

Expected Behavior

The tool should warn the user before falling back to external public proxies, or require explicit user consent to transmit URLs to third-party servers.

Actual Behavior

The tool automatically falls back to third-party public proxies without warning.

Environment

Any browser, running locally or behind CORS restrictions.

Screenshots

No response

Pre-submission Checklist

  • I have checked existing issues for duplicates.
  • I have tested this in at least one modern browser.

Metadata

Metadata

Assignees

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions