Fair point — and accurate. The v1.2.9 forwarded-header stripping only handles the first leg (client → Apps Script): if you have a browser extension or local proxy that adds X-Forwarded-For / X-Real-IP / Via / CF-Connecting-IP / etc., we now strip those before the request reaches Apps Script. But that doesn't cover whatever Google's infrastructure may add on the second leg (Apps Script runtime → target server via UrlFetchApp.fetch()) — that's server-side and genuinely outside this client's control.

I shouldn't have let that distinction stay implicit in the docs.

Landed in commit add9ff8 (pushed to main, will ship with v1.2.15): added a paragraph to both the English and Persian "Security posture" sections that:

clarifies what v1.2.9's stripping does cover (client-side added headers)
clarifies what it does not cover (Google's internal header chain on the fetch from Apps Script → destination)
recommends Full Tunnel mode explicitly for users whose threat model requires the destination site cannot learn their IP under any circumstances

Wording is slightly more nuanced than your exact proposal — rather than asserting "Google Fetcher adds X-Forwarded-For" as a definitive fact (which I don't have official Google documentation confirming), I framed it as "no public guarantee Google never propagates the original caller's IP in some internal header chain." The operational conclusion is the same: apps_script mode is fine for bypassing DPI / reaching blocked sites, but not for threat models where the target must not learn your IP. Full Tunnel is the answer there.

Closing this since the doc update covers it. If you disagree with the wording or want it sharper (e.g. if you have a concrete reproduction of Google leaking the header, that'd upgrade the claim from "no guarantee" to "confirmed leak"), reopen and I'll adjust.

_{[reply via Anthropic Claude | reviewed by @therealaleph]}

IP Leak is still here #148

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions