Skip to content

Not Working unless I use script src from niutech.github,io #63

New issue
New issue
Open
Open
Not Working unless I use script src from niutech.github,io#63
@dalaryn

Description

@dalaryn
dalaryn
opened on Jul 30, 2025

Wrote-up this PoC but it only works with the script src is "https://niutech.github.io/x-frame-bypass/x-frame-bypass.js"

Not working:

<!DOCTYPE html>
<html>
<html>
<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<meta name="description" content="X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin">
	<title>X-Frame-Bypass Web Component Demo</title>
	<style>
		html, body {
			margin: 0;
			padding: 0;
			height: 350;
			width: 350;
			overflow: hidden;
		}
		iframe {
			display: block;
			height: 350;
			width: 350;
			margin: 20px;
		}
		img {
			position: absolute;
			top: 0;
			right: 0;
		}
	</style>
	<script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>
	<script src="https://unpkg.com/x-frame-bypass" type="module"></script>
</head>
<body>
<h2>If the Web Application below is loaded, it is vulnerable to Clickjacking</h2>
	<iframe src="https://google.com" height="250" width="600" samesite=none secure=true></iframe>
<h2>If the Web Application below is loaded, it is vulnerable to Clickjacking using a CORS bypass</h2>
	<iframe is="x-frame-bypass" src="https://google.com" height="250" width="600" samesite=none secure=true></iframe>
</body>
</html>

Working:

<!DOCTYPE html>
<html>
<html>
<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<meta name="description" content="X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin">
	<title>X-Frame-Bypass Web Component Demo</title>
	<style>
		html, body {
			margin: 0;
			padding: 0;
			height: 350;
			width: 350;
			overflow: hidden;
		}
		iframe {
			display: block;
			height: 350;
			width: 350;
			margin: 20px;
		}
		img {
			position: absolute;
			top: 0;
			right: 0;
		}
	</style>
	<script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>
	<script src="https://niutech.github.io/x-frame-bypass/x-frame-bypass.js" type="module"></script>
</head>
<body>
<h2>If the Web Application below is loaded, it is vulnerable to Clickjacking</h2>
	<iframe src="https://google.com" height="250" width="600" samesite=none secure=true></iframe>
<h2>If the Web Application below is loaded, it is vulnerable to Clickjacking using a CORS bypass</h2>
	<iframe is="x-frame-bypass" src="https://google.com" height="250" width="600" samesite=none secure=true></iframe>
</body>
</html>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions