# Snapinator Bug

I found a bug with Snapinator. Snapinator can be used to read others' unshared projects, just like many other popular Scratch converters of the post (some still have that) // cc @djdolphin

Not a bug in Snapinator. Protecting unshared projects is the Scratch Team’s responsibility, and it’s one they’ve ducked since Scratch 2.0 was released in 2013. At this point I don’t think they’ll fix it.

But is not it possible to fix it? I think tjvr had fixed this bug for scratchblocks going way back in the past.

I’m not aware of any API to check if a project is unshared that can be accessed from non-Scratch domains without a CORS proxy.

Even if I do “fix” it, it would be easy to work around since the unshared project check would be on the client side. Only the Scratch Team can implement a real, server-side fix.

What about making a server request to projects.scratch.mit.edu and checking the response?

projects.scratch.mit.edu gives no indication of if the project is shared. It just returns the project JSON, whether it's supposed to be public or not. That's the entire problem here.

You get an error message saying this- "{"code":"NotFound","message":""} when trying to connect to the Scratch Api for unshared projects. Thus you may use that.

Um, @djdolphin?

The Scratch Team's CORS policy blocks other websites from using api.scratch.mit.edu. And I'm not inclined to set up a CORS proxy just for that, because

Even if I do “fix” it, it would be easy to work around since the unshared project check would be on the client side. Only the Scratch Team can implement a real, server-side fix.

I see. Thank you for your response.