Script injecting to Glitch Editor

I’m attempting to make a Glitch “extension”. This idea popped out after seeing Lameplit’s extensions. I browsed some, and I thought my idea would be a .CSV viewer. Now, this isn’t a suggestion to turn .CSV files into something like the graphical .ENV viewer embedded in the editor itself, because my hard work would all go to code-hell. And I’m also not the 18969th wimp to ask for an official extension API for Glitch, this isn’t a suggestion.

But why am I bringing this up? You see, I planned COOLcsv (uncool name, I know (get it?)) to work as a simple bookmarklet that injects the required JS code. I thought simply importing it would work, it didn’t. Then after a “few” tries I realized the Github API is allowed to request through Glitch (likely the Glitch-Github support), so I created a private Github gist for the code of COOLcsv, requested it, worked fine, until I realized Glitch blocks any kind of injection possible, whether it’d be though an eval/new Function, <script> inlines and tags with a src to a data URL, so on.

Though yes, Github API can give us a raw link for my beautiful script of the gist (I tested the extension more than I tested the injecting bookmarklet itself, how smart /sarc), but requests to rawgithubcontent.com are blocked either, because, of course, don’t let unnecessary URLs be requested or else abominations like COOLcsv are easy to inject or manipulate the editor itself.

I also tried removing the <meta> tags which correspond to the CSP, but some of the CSP was still left, leaving me absolutely insane, yet again with my stupid code creations that never should and will work.

Looks like this is a dead end, cause I don’t think anyone would contact me for the sole purpose of telling how to hack into Glitch’s editor, so I don’t ask for any help, rather, I’m hoping I discover some sort of hole in Glitch’s highly inspected CSP string or something like that, but again, I’d be banned for inserting ugly Rix code onto Glitch editor (trust me, my code style is ugly).

Also, I do know the prime existence of user scripts, but you have to install some sort of extension before using user scripts. Yes, I don’t use Firefox.

If you’re using a Chrome-based browser, you could try taking a look at my extension that I have been working on.

It all some pretty terrible code that need refactoring, but it’s doing nearly the same things you’re wanting, so it should be helpful.

Yeah sure, until people that use a non-Chromium browser like IE show up, though this is a great idea

This will likely be the one solution that’ll actually work

I’m trying to figure out Firefox support to, but it’s met with some complications.

No no, I don’t use Firefox, cause I use C̷̢̛̛̛̛̯͚̲̬̩̳̝̹̙̖̳̠̝̠̠̗̜̻̱͙̳̭͖̤̋̌̾̆͑̃̐͑́͑̾́̆́̒̊̈́͑̂̾̈́͐̈̆̀̈̉̑̋͆̎̊͛͗̿͋̈̇̈̚̕͘̚͜͝͝͠h̷̡̡̧̡̡̛̛̩̹͙̣͚̘̫̳͔͖̰̪͎̝͈̘͍̰̩͉̻͙̹̞̜̼̻͈̫̩̝̻̮̺̭͙̥͈͎̯̮͆̎͊͒̃͑͊́̑̐̀͛̏̈́̔̐̑̓̈́̊̒͋̄̃́̀͊̐̈̈́̔̆͂̈́́͐̕̚͘͘͘͜͜͜͝ͅr̸̡̜̮̜̙̻̲̣̜̺̞̱̰͚̳͉͚̘͙̼̟̯̲̹̞̫̘̺͙̜̠̺̝̩̬̭̰̖͍̟̝̲͕͎̱̈́̏̅̐̍̇̊̿̐̀̉̔̈́́̃̔̋̄̓̍̈͂̓̓͊̾̾́̄̓̉̆̀͊̀̀̇̇͆̈́̾̇͛͆̚̚͜͠͝ͅͅͅơ̵̡̘̼̘̪͚͇̟͚͔̯͓̥̙̜͕͈̥̼̫̙̟̤̪͕͋͂̎͑́́̍̆͐̀̔̓̏͊̀̀̋͑́̆̚m̸̡̡̧͉̣̙̲̗͚̬̳̯̥̭̮̗̫̘͙͈͈̲̲̝̬̳̘͓̻͙̼̖̩͖̠̻̤̯̻͚̾̀̈̒̈́͛͊͊̾̔̀́́̐͌̎̿̓͗̇͛̈́̋̋̉̒̾͊̇͒̎̃̑̐͊̐̔̄͒̏̒̕̕͘͜͜͜͠͠͝͝͝ͅͅͅę̴͕̻͖͔̻̪̟̜̲͙̥̩͉̖͍̜̩͊̉͋̿̏͐͆̅̀̑̍̃̉̀̊͒̂̌̈́͊̆̇̽͗͑̏̕͠ͅ

could you upload the script to npm and request it through unpkg.com

A new ridiculous solution I’ve been using recently is putting the code in the readme of a project and then requesting it using glitch’s project api README endpoint, that is allowed using cors.

Or just upload it to npm and use unpkg

But if you can read files, why not read something else than the README? Or is the special endpoint only for READMEs? Plus, eval doesn’t work if it’s not from DevTools

Also, UNPKG seems like a perfect solution, why haven’t thought of that before? /srs

I will check out UNPKG and NPM tomorrow. Brilliant idea for a bookmarklet, doesn’t even request to Github API.

oh boy if you’re worried about IE support, you’re gonna be here for a long time!

Why not put whatever stuff you want to load from raw.githubusercontent.com into a Glitch project? Upload all your files into a Glitch project (without any package.json or anything) and Glitch will serve them normally!

You know, there still are apps that use IE. And plus, IE can still be triggered by a simple .VBS scriptoe.

Only support-poster.glitch.me are CSP-compliant for Glitch. You can’t request other glitch.me domains without a CSP restriction error.

Of course, that is, if you decide to uninstall Edge like I did

even if someone comes up with a way to get through the CSP, I don’t think posting here would be a good idea because it’s basically a security vulnerability on glitch’s side of things

That’s why I wasn’t needing help, but a miracle (a way to request the JS to Glitch)

UNPKG worked perfectly fine. :3

It’s a special endpoint only for the readme.

IE is deprecated and super old, forget it. Edge is based on chromium so you provabily won’t have to worry about it.

You know what they say, “just because it’s deprecated, doesn’t mean nobody uses it for another 10 years”

Eh, UNPKG looks like a better solution anyway.

offtopic tip: If you’re making an extension for glitch I highly recommend checking out the application variable, it has a ton of cool hidden stuff and it’s what I’m using to build the new glitch chat extension.

I don’t think glitch itself is supported in IE, but anyways no one should be using it - even if there is anyone using it, it’s a very small percentage that provabily won’t be using glitch.

offtopic message for the offtopic tip #1: Yeah, I saw application from @Haizlbliek’s extension. I thought that application being a long name was defined somewhere in the extension itself with cool functions. Didn’t find any other refs other than the extension code itself; turns out that the Glitch editor itself includes the application. I wonder why even make global variables when almost nothing else other than DevTools are able to even access it, not even talking about CSP

message #2: GLICTH CHAT???/??1??

Yeah that’s what I’ve been using, but the README api endpoint is still pretty interesting

I’m working on bringing back this: [ARCHIVED] 💬 Open source glitch chat

Probably used within Glitch. You know what they say, “dog-fooding” (a code practice to code something for likely only you to use)

*woah.wav*

When looking at the glitch editor code I noticed a lot of stuff that should have been removed after the editor redesign but still continues there, kind like Microsoft Windows lol. A lot of stuff there seems unused or old.

I remember you can spawn dialogs (the what’s new dog), but my only source to test dialogs (the dawg) is gone

Like the fact when you press back on any of Glitch’s built in tools (except Rewind, that uses different UI like logs and Terminal) it shows you a weirder Tools popup that’s obviously waay older than the regular one. I mean, it’s still styled like it came out this year, but still

fun fact: The Dialer from 3.1 is still available in 11, just run dialer. I mean, it kind of makes sense because all that backwards compatibility, but at least update the UI of that 9X app, Microsoft

I imagined Windows 11 as a wayy better version than what it is, given those four 2D squares for the new logo (it sucks ngl, Microsoft but #0080ff)

What have you been using to spaw dialogs? The only way I’ve discovered is just adding them to the html taking advantage that most of the old css classes still work lol

Yea that was the old, pre-redesign version of the “tools” popup

There was a “what’s new” message below the navbar (somewhat like the “Fastly invitation” message) telling Glitch “got new features” and when you click on a button, it showed up the “new features” in some sort of popup (shows features from around 2 yrs. ago I think(?))

Also, goddamn it, my URL parsing to get the current file was useless because application.currentFileInfo exists and even shows the extension but as long as it doesn’t return current line and line character with the info, that’s a kind of a win for my parsing, so I will keep parsing

Choosing “embed project” in settings also spawns a popup

But I don’t know how to replicate opening a dialog on itself

I use rectify11 so it’s much better, highly recommend

I think it’s still there

I use 10, because that’s the system my PC came with instead of 11 for some reason

Yeah I just append it to the HTML

I captured some HTML of the dialog (edited to be placeholder), but adding equivalent event listeners gon be a troublin for me

<div class="overlay-background"><dialog class="overlay share-embed-overlay"><section class="info"><h1>title?</h1></section><section class="section-wrapper">content??</section></dialog></div>

EDIT: you put this in div#application as the latest element (I don’t think order is necessary for the popup)

I’ll check that out if it looks better than my current solution, thanks!

With enough code, I spawned… A SAMPLE POPUP THAT DOESN’T CLOSE ON CLICK OF THE BACKGROUND!!

1341×480 20.9 KB

So far, I can only see application.files()[application.currentFileInfo().path].I.content as the only way to read the current file, or take data from the editor’s CodeMirror (I don’t know if that is accessible)

EDIT: I am completely wrong.

Reading the current file from the CodeMirror editor object is by doing application.editor().getValue().

You can make it close by adding an event listener to the body that checks if the click target is the modal. If it isn’t, the remote the modal element

Can I join the project? I would love to help making coolCSV

I wonder if collabbing on NPM is even possible (97% of the extension’s on NPM, also it’s COOLcsv, I keep forgetting the casing too)

Yeah, my brain is braining, trust me.

Do you use github/glitch for hosting the npm library or is it just your computer?

I’d love to help too, if possible.

Yeah, it’s local for now, but I could make an “organization” for COOLcsv and a private repo for the source code and maybe invite you guys <3

Might not be helpful but I found when making my own extension chrome-extension:// URLs bypass CSP completely. At least injected from an extension.

oh yeah, back in the day before you could tell chrome to run a script in the page’s “world,” there was a technique where you use DOM to insert a <script> element of a .js file from your extension, something like that

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.