Service | SSL | status | Response Type | Allowed methods | Allowed headers | Exposed headers | Follow redirect | Streamable | WebSocket | Upload limit | Download limit | Country code | Comments |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CORS bridged | Mirrored | Raw | * | All but expect Forbidden headers | 16mb/request | US (CA) | Blog for docs & Testing | ||||||
cors-anywhere | Mirrored | Raw | * | * | * | Up to 5x | US | Require Origin header | |||||
cors-anywhere @ glitch | Mirrored | Raw | source | ||||||||||
thingproxy | * | 100kb | 100kb | US | Max 10 req/sec | ||||||||
Whatever Origin | jsonp | GET | None | None | US | ||||||||
Go Between | |||||||||||||
goxcors | Allways 200 | Raw | * | * | None | US |
POST type is limited to x-www-form-urlencoded Have a werd api Response Type is Allways text/html |
||||||
YaCDN | Not mirrored | Raw | GET | None | Up to 22x | FR | CDN, ignores browsers headers | ||||||
All Origins | Only code in json | Json, jsonp, Raw | * | None | US | When using raw you loose status information | |||||||
Cloudflare Cors Anywhere | Only code mirror (not statusText) | Raw | * | All but expect Forbidden headers | none | none | none | 100,000 requests/day 1,000 requests/10 minutes | |||||
JSONProxy | GET |
Possible dead
cors.io | Only code mirror | Raw | GET, HEAD | US | |||||||||
crossorigin.me | GET | 2MB | 2MB | US | Require Origin header | ||||||||
HTML Driven | |||||||||||||
Taskcluster | * | US | All request must be made within the request body Only whitelisted for taskcluster |
||||||||||
anyorigin | jsonp | GET | none | none | US |
This comment has been minimized.
For CORS creator
A good cors proxy should
(and potentially prefix
set-cookie
&location
with something)example.com/https://google.com
but instead usesexample.com/?url=https%3A%2F%2Fgoogle.com
which allows for more option like
&method=POST
&ignoreReqHeaders=true
// don't forward any headers sent by browser automatically&appendReqHeaders=[['cookie', 'x-foo']]
send an additional cookie&appendResHeaders=[['content-type', 'text/javascript']]
append a response header to make script executable.&setResHeaders=[['content-type', 'text/plain']]]
replaces content-type to make everything more secure&deleteReqHeaders=['origin']
don't send origin (which some cors api checks for)&followRedirect=false
&body=abc
I have speculated around using WebSocket as a proxy with very low networking level that allows you to do anything from both crafting and reading the raw bits. If someone dose something like this let me know