Intercept new tab/window attempts in proxy iframe instead of opening new tabs

[Copilot]

Proxied content attempts to open new tabs/windows are now intercepted and loaded in the main iframe, keeping users in the proxy context.

Implementation

Iframe Sandbox

• Removed allow-popups permission to block popups at browser level
• Maintains required permissions: allow-forms, allow-modals, allow-same-origin, allow-scripts, allow-top-navigation

Client-Side Interception (public/radius-client.js)

• Overrides window.open() to capture all programmatic popup attempts
• Event listeners intercept clicks on target="_blank" links and form submissions
• Returns fake window objects to prevent JavaScript errors

Secure Cross-Frame Communication

• Uses postMessage with origin validation (never wildcards)
• Parent validates message source and origin before processing
• URLs validated for http/https protocols before navigation

Example

// In proxied content, this now loads in the main iframe:
window.open('https://example.com');

// Links and forms with target="_blank" are also intercepted:
<a href="https://example.com" target="_blank">Click</a>
<form action="/search" target="_blank">...</form>

Security

• Origin validation on all postMessage calls prevents message spoofing
• Script injection only occurs when iframe origin matches parent (with cross-origin exception handling)
• Form method defaults to GET with console warning when unspecified

Testing

Test page available at /popup-test.html with scenarios for:

• window.open() calls
• Links with target="_blank" and target="_new"
• Form submissions with target="_blank"

Works with both Scramjet and Ultraviolet proxy backends.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /usr/local/bin/node node server/index.js (dns block)
• telemetry.astro.build
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/Radius/Radius/node_modules/.bin/astro build (dns block)
• www.google.com
  • Triggering command: /usr/local/bin/node node server/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

make a simple, and convient system that intercepts atempts to open a new tab or window in the web browser (for scramjet and ultravilot web proxys) and opens it inside of the main iframe that loads proxy urls instead of opening them in a new tab or window instead. be shure that it works with coris and if possible, look trought the scramjet and ulravilot apis to find a solution or config setting that will fix this on the proxy levle

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

• Start Development Server
• Start Production Server