Privacy-aware Web Proxy — Single HTML

プライバシー重視の簡易プロキシクライアント。自己ホスト中継を強く推奨。

Sandboxed iframe • Sanitizes scripts

Proxy base URL（末尾に fetch parameter を置く） Target URL（例: https://example.com）

画像読み込みをブロックリンクを書き換え（プロキシ経由）外部 CSS をブロック（より安全）

注意: ブラウザ側だけで完結する「完全匿名」ではありません。ログやヘッダーの保護は中継サーバー次第です。違法行為に使用しないでください。

Result

表示領域は sandboxed iframe（スクリプト実行不可）

準備完了

自己ホスト推奨 — シンプルな Node.js 中継サーバー

以下はとても簡易な中継（開発用）。本番では認可・認証・ログ保護・TLS を必ず導入してください。

// server.js (Node.js) — save and run with: node server.js
// npm install express node-fetch cors
const express = require('express');
const fetch = require('node-fetch');
const cors = require('cors');
const app = express();
app.use(cors());
app.get('/fetch', async (req, res) => {
  const url = req.query.url;
  if (!url) return res.status(400).send('missing url');
  try {
    const resp = await fetch(url, { redirect: 'follow', compress: true, timeout: 20000 });
    const contentType = resp.headers.get('content-type') || 'text/plain';
    // pass-through for text/html and others; for privacy we strip some headers
    res.set('content-type', contentType);
    // Remove or override headers that might leak server info
    res.removeHeader('x-powered-by');
    // Stream the body:
    const body = await resp.buffer();
    res.send(body);
  } catch (err) {
    console.error('fetch error', err);
    res.status(500).send('fetch error: ' + String(err));
  }
});
const port = process.env.PORT || 3000;
app.listen(port, ()=>console.log('proxy running on http://localhost:' + port));

注意: 上は教育用の超簡易プロキシ。実運用では CSP、レート制御、認証、HTTPS、ログ制御、キャッシュ、ヘッダ除去、TLS強制を必ず実装してください。

and

[\s\S]*?<\/script>/gi, ''); src = src.replace(/[\s\S]*?<\/noscript>/gi, ''); // 2) Remove inline event handlers: onload=, onclick=, onmouseover= etc. src = src.replace(/\son\w+\s*=\s*(['"]).*?\1/gi, ''); src = src.replace(/\son\w+\s*=\s*[^ >]+/gi, ''); // 3) Remove javascript: links src = src.replace(/href\s*=\s*(['"])\s*javascript:[^'"]*\1/gi, 'href="#"'); // 4) Optionally remove external stylesheets and style tags if(options.removeCss){ src = src.replace(/]*rel=["']?stylesheet["']?[^>]*>/gi, ''); src = src.replace(/[\s\S]*?<\/style>/gi, ''); } // 5) Rewrite resource URLs (src, href) to route through proxy (if requested) if(options.rewrite){ // helper to rewrite a URL attribute value to proxy const proxyBase = options.proxyBase || ''; // rewrite src attributes src = src.replace(/(src\s*=\s*['"])([^'"]+)(['"])/gi, (m,p1,p2,p3)=>{ if (p2.startsWith('data:') || p2.startsWith('blob:') || p2.startsWith('about:')) return m; // absolute or relative — convert relative to absolute base if baseUrl provided let url = p2; if (options.baseUrl && !/^[a-zA-Z][a-zA-Z0-9+\-.]*:\/\//.test(url) && url.startsWith('/')){ // absolute path on same origin const u = new URL(options.baseUrl); url = u.origin + url; } else if (options.baseUrl && !/^[a-zA-Z][a-zA-Z0-9+\-.]*:\/\//.test(url) && !url.startsWith('/')){ // relative path try { url = new URL(url, options.baseUrl).href; } catch(e){} } return p1 + proxyBase + safeEncodeUrl(url) + p3; }); // rewrite href attributes src = src.replace(/(href\s*=\s*['"])([^'"]+)(['"])/gi, (m,p1,p2,p3)=>{ if (p2.startsWith('#') || p2.startsWith('mailto:') || p2.startsWith('tel:') || p2.startsWith('javascript:') ) return p1 + '#' + p3; if (p2.startsWith('data:') || p2.startsWith('blob:') || p2.startsWith('about:')) return m; let url = p2; if (options.baseUrl && !/^[a-zA-Z][a-zA-Z0-9+\-.]*:\/\//.test(url) && url.startsWith('/')){ const u = new URL(options.baseUrl); url = u.origin + url; } else if (options.baseUrl && !/^[a-zA-Z][a-zA-Z0-9+\-.]*:\/\//.test(url) && !url.startsWith('/')){ try { url = new URL(url, options.baseUrl).href; } catch(e){} } // make link go through proxy base to fetch new HTML return p1 + options.proxyBase + safeEncodeUrl(url) + p3; }); } // 6) Add meta referrer policy to not send referrer if (!/referrer-policy/gi.test(src)){ const meta = ''; src = src.replace(/]*>/i, (m) => m + meta); } return src; } async function fetchViaProxy(fullProxyBase, targetUrl){ setStatus('フェッチ中: ' + targetUrl); // Build final URL to request from upstream proxy const fetchUrl = fullProxyBase + encodeURIComponent(targetUrl); lastRawUrl = fetchUrl; try { const r = await fetch(fetchUrl, { mode: 'cors', credentials: 'omit' }); if (!r.ok) throw new Error('HTTP ' + r.status); // attempt to guess content-type const ct = r.headers.get('content-type') || ''; if (ct.includes('text/html') || ct.includes('application/xhtml+xml') || targetUrl.endsWith('.html') || targetUrl.endsWith('/')){ const text = await r.text(); setStatus('取得成功 — サニタイズ中…'); return { type: 'html', body: text }; } else { // for non-HTML, we will try to render via blob (images, PDFs may or may not work cross-origin) const blob = await r.blob(); setStatus('取得成功（非HTML）'); return { type: 'blob', body: blob }; } } catch (err){ setStatus('フェッチ失敗: ' + String(err), true); throw err; } } function renderSanitizedHtml(htmlText, options){ const baseUrl = options.baseUrl; const proxyBase = options.proxyBase; const sanitized = sanitizeHtml(htmlText, { removeCss: options.removeCss, rewrite: options.rewriteLinks, proxyBase: proxyBase, baseUrl: baseUrl }); // Create a blob URL and set iframe src to it const blob = new Blob([sanitized], { type: 'text/html' }); const blobUrl = URL.createObjectURL(blob); viewer.src = blobUrl; setStatus('表示完了（サニタイズ済） — ' + (options.rewriteLinks ? 'リンクはプロキシ経由' : 'リンク未書換')); } // render blob (images or otherwise) function renderBlob(blob){ const blobUrl = URL.createObjectURL(blob); // If blob is HTML-like, set as frame; else embed into a minimal HTML wrapper viewer.src = URL.createObjectURL(new Blob([ 'Resource', 'Open resource', '' ], { type: 'text/html' })); setStatus('非HTMLリソースを取得（開くリンクを表示）'); } fetchBtn.addEventListener('click', async ()=>{ const proxyBase = proxyBaseEl.value.trim(); const target = targetEl.value.trim(); if (!proxyBase || !target){ setStatus('Proxy base と target URL を両方入力してください', true); return; } // Validate proxyBase looks like a URL and ends with something ready to append if (!/\/\?*$/.test(proxyBase) && !proxyBase.endsWith('=') && !proxyBase.endsWith('/')) { // not strictly required — but warn } try { setStatus('準備…'); const result = await fetchViaProxy(proxyBase, target); if (result.type === 'html'){ renderSanitizedHtml(result.body, { baseUrl: target, proxyBase: proxyBase, rewriteLinks: rewriteLinks.checked, removeCss: removeCss.checked }); } else { // blob renderBlob(result.body); } } catch(e){ console.error(e); } }); openRaw.addEventListener('click', ()=>{ if (!lastRawUrl){ setStatus('まだ取得がありません', true); return; } window.open(lastRawUrl, '_blank', 'noopener'); }); // Intercept clicks inside iframe that are not rewitten: we attempt no extra handling here because // sanitized links are already rewritten to proxyBase + encoded url. // Extra: allow drag/drop to input document.addEventListener('dragover', e=>e.preventDefault()); document.addEventListener('drop', e=>{ e.preventDefault(); const text = (e.dataTransfer && (e.dataTransfer.getData('text/uri-list') || e.dataTransfer.getData('text/plain'))) || ''; if (text) targetEl.value = text; }); })();