Safe curl-like web viewer (single HTML)

Request headers (one per line, e.g. Accept: text/html)

Advanced

- CORS applies. If blocked, set a proxy below you control.

- JavaScript from target is stripped. Links are rewritten to stay inside viewer.

Optional proxy base URL

Proxy must allow POST with JSON {url, headers}. Return: status, headers, body (text). See inline spec below.

Response info

—

Applied CSP: default-src 'none'; scripts blocked

Security notes

- Viewer runs in sandboxed iframe.

- Inline event handlers (onclick etc.) removed.

- Potentially dangerous tags stripped: script, iframe, object, embed, link[rel=preload|modulepreload], base.

- Styles allowed inline; external CSS blocked.

Render

HTML

Headers