Skip to content

Comments

Intercept new tab/window attempts in proxy iframe instead of opening new tabs#41

Draft
Copilot wants to merge 5 commits intomainfrom
copilot/intercept-new-tab-attempts
Draft

Intercept new tab/window attempts in proxy iframe instead of opening new tabs#41
Copilot wants to merge 5 commits intomainfrom
copilot/intercept-new-tab-attempts

Conversation

Copy link
Contributor

Copilot AI commented Nov 23, 2025

Proxied content attempts to open new tabs/windows are now intercepted and loaded in the main iframe, keeping users in the proxy context.

Implementation

Iframe Sandbox

  • Removed allow-popups permission to block popups at browser level
  • Maintains required permissions: allow-forms, allow-modals, allow-same-origin, allow-scripts, allow-top-navigation

Client-Side Interception (public/radius-client.js)

  • Overrides window.open() to capture all programmatic popup attempts
  • Event listeners intercept clicks on target="_blank" links and form submissions
  • Returns fake window objects to prevent JavaScript errors

Secure Cross-Frame Communication

  • Uses postMessage with origin validation (never wildcards)
  • Parent validates message source and origin before processing
  • URLs validated for http/https protocols before navigation

Example

// In proxied content, this now loads in the main iframe:
window.open('https://example.com');

// Links and forms with target="_blank" are also intercepted:
<a href="https://example.com" target="_blank">Click</a>
<form action="/search" target="_blank">...</form>

Security

  • Origin validation on all postMessage calls prevents message spoofing
  • Script injection only occurs when iframe origin matches parent (with cross-origin exception handling)
  • Form method defaults to GET with console warning when unspecified

Testing

Test page available at /popup-test.html with scenarios for:

  • window.open() calls
  • Links with target="_blank" and target="_new"
  • Form submissions with target="_blank"

Works with both Scramjet and Ultraviolet proxy backends.

Radius Homepage

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /usr/local/bin/node node server/index.js (dns block)
  • telemetry.astro.build
    • Triggering command: /usr/local/bin/node node /home/REDACTED/work/Radius/Radius/node_modules/.bin/astro build (dns block)
  • www.google.com
    • Triggering command: /usr/local/bin/node node server/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

make a simple, and convient system that intercepts atempts to open a new tab or window in the web browser (for scramjet and ultravilot web proxys) and opens it inside of the main iframe that loads proxy urls instead of opening them in a new tab or window instead. be shure that it works with coris and if possible, look trought the scramjet and ulravilot apis to find a solution or config setting that will fix this on the proxy levle


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@codesandbox
Copy link

codesandbox bot commented Nov 23, 2025

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

Copilot AI and others added 4 commits November 23, 2025 20:49
… proxies

Co-authored-by: sriail <225764385+sriail@users.noreply.github.com>
Co-authored-by: sriail <225764385+sriail@users.noreply.github.com>
…ation

Co-authored-by: sriail <225764385+sriail@users.noreply.github.com>
…cate code

Co-authored-by: sriail <225764385+sriail@users.noreply.github.com>
Copilot AI changed the title [WIP] Add system for intercepting new tab/window openings Intercept new tab/window attempts in proxy iframe instead of opening new tabs Nov 23, 2025
Copilot AI requested a review from sriail November 23, 2025 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants