Leave your name here just by visiting the project

The Gallery
1

Serious about the title. This is your only warning.

Project URL: https://island-foamy-paperback.glitch.me/

This project combines two things about Glitch:

  1. Any site can embed a Glitch project.
  2. Anyone can see who’s viewing a (public) project in the corner of the editor.

I found out about this when I saw an embed in the Glitch blog.

17 Likes
2

This my friend, is absolutely genious, you just gave me a whole lot of ideas! Good work!

7 Likes
3

This
Is
Awesome

3 Likes
4

I bet one of them is going to be an analytical counter or similar.

3 Likes
5

Can you make of the embed hidden. So no people will see?

1 Like
6

Yeah, you should be able to use some CSS to hide it, the iframe element probably has some neat attributes to hide it too.

7 Likes
7 
iframe
{
  display: none;
}

Code above should do the trick, but I’m no frontend dev.

4 Likes
8

It will.

6 Likes
9

Yes

How does this project work? Does it scrape the embed for a user or something?

1 Like
10

You can just try yeeting it somewhere else haha:

iframe {
position:fixed;
opacity:0;
left:1000000000000000px;
}
1 Like
11

well, the opacity 0 probably does the trick lol

2 Likes
12

Guys, I’m pretty sure @wh0 or @ihack2712 or whoever is creating stuff with the embed will definitely know how to hide an element with CSS, let’s not sweat about the CSS and let’s focus on how awesome this thing is and how you could create amazing projects and concepts with this.

Why do all this hard work, just add display: none.

4 Likes
13

This is just awesome, here’s a bump from me!

1 Like
14

@glitch_support since this is possible, doesn’t this also expose users to CSRF? Or does Glitch apply the X-Frame-Options header in the API?

1 Like
15

Took a look at Glitch’s headers and they don’t have a X-Frame-Options on glitch.com/edit/*.

I suspect they don’t have this header is that Glitch is suppose to be Iframed (glitch allows embeds on websites).

16

That is really dangerous and is a security vulnerability, see https://owasp.org/www-community/attacks/csrf

They can still allow iframes on such things as an editor and stuff, but should limit all dangerous api endpoints

4 Likes
17

Agreed! They should also consider a robots.txt file on glitch.com and api.glitch.com as I can think of a few pages that probably shouldn’t be crawled.

3 Likes
18

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.