Skip to content

Instantly share code, notes, and snippets.

@chitsaou chitsaou/README.md
Last active Aug 21, 2019

Embed
What would you like to do?
Proxy to remote server with CORS support

cors.py for mitmproxy

Hacking CORS restriction to enable in-browser XHR to any server.

Usage

Say you are running an web app at localhost, and you want to send XHR to http://remote-server:80, but the CORS restriction forbids access because you are sending requests from an origin that remote-server:80 does not allow.

Run:

mitmproxy -s cors.py -R http://remote-server:80 -b localhost -p 8080

Now localhost:8080 is tunnelled to remote-server:80.

And you can XHR to proxied server from localhost:

fetch("http://localhost:8080/api.json")
  .then(function(response) {
    // enjoy the response
  });

Bonus: You can inspect HTTP requests in mitmproxy.

from libmproxy.protocol.http import HTTPResponse
from netlib.odict import ODictCaseless
def response(context, flow):
flow.response.headers["Access-Control-Allow-Origin"] = ["*"]
# Use this if the application sends auth info via header
flow.response.headers["Access-Control-Expose-Headers"] = ["X-Application-Session-Id"]
def request(context, flow):
# Hijack CORS OPTIONS request
if flow.request.method == "OPTIONS":
headers = ODictCaseless([
["Access-Control-Allow-Origin", "*"],
["Access-Control-Allow-Methods", "POST"],
["Access-Control-Allow-Headers", "X-Application-Session-Id"],
["Access-Control-Max-Age", 1728000]
])
resp = HTTPResponse([1, 1], 200, "OK", headers, "")
flow.reply(resp)
@wereHamster

This comment has been minimized.

Copy link

wereHamster commented Jan 20, 2016

See https://gist.github.com/wereHamster/414aad4a41fca394a450 for changes needed to make the script compatible with mitmproxy 0.14 (I have not tested it yet with 0.15).

@jhass

This comment has been minimized.

Copy link

jhass commented Feb 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.