Cors proxies

readme.md

Service	SSL	status	Response Type	Allowed methods	Allowed headers	Exposed headers	Follow redirect	Streamable	WebSocket	Upload limit	Download limit	Country code	Comments
CORS bridged	✅	Mirrored	Raw	*	All but expect Forbidden headers	❓	❓	❓	❓	16mb/request	❓	US (CA)	Blog for docs & Testing
cors-anywhere	✅	Mirrored	Raw	*	*	*	Up to 5x	❓	❓	❓	❓	US	Require Origin header
cors-anywhere @ glitch	✅	Mirrored	Raw	❓	❓	❓	❓	❓	❓	❓	❓	❓	source
thingproxy	✅	❓	❓	*	❓	❓	❓	❓	❓	100kb	100kb	US	Max 10 req/sec
Whatever Origin	❌	❌	jsonp	GET	None	None	❓	❌	❌	❓	❓	US
Go Between	✅	❓	❓	❓	❓	❓	❓	❓	❓	❓	❓	❓
goxcors	✅	Allways 200	Raw	*	*	None	✅	❓	❓	❓	❓	US	POST type is limited to x-www-form-urlencoded Have a werd api Response Type is Allways text/html
YaCDN	✅	Not mirrored	Raw	GET	None	❌	Up to 22x	❓	❓	❓	❓	FR	CDN, ignores browsers headers
All Origins	✅	Only code in json	Json, jsonp, Raw	*	❌	None	✅	❓	❓	❓	❓	US	When using raw you loose status information
Cloudflare Cors Anywhere	✅	Only code mirror (not statusText)	Raw	*	All but expect Forbidden headers	none	✅	❌	❓	none	none	❓	100,000 requests/day 1,000 requests/10 minutes
JSONProxy	✅	❓	❓	GET	❓	❓	❓	❓	❓	❓	❓	❓

Possible dead

cors.io

✅

Only code mirror

Raw

GET, HEAD

❓

❓

✅

❓

❓

❓

❓

US

crossorigin.me

✅

❓

❓

GET

❓

❓

❓

❓

❓

2MB

2MB

US

Require Origin header

HTML Driven

✅

❓

❓

❓

❓

❓

❓

❓

❓

❓

❓

❓

Taskcluster

✅

❓

❓

*

❓

❓

❓

❓

❓

❓

❓

US

All request must be made within the request body Only whitelisted for taskcluster

anyorigin

❌

❓

jsonp

GET

none

none

❓

❌

❌

❌

❓

US

@JohnTrabusca

This is how I did it https://www.youtube.com/watch?v=4-tkyuwhs2Y

Thanks man, really appreciated :)

Re: Cloudflare workers - here's how to set it up:

CloudFront have released an 'official' CORS proxy here

Raw code here

You just need to copy and paste that into a new worker.

Note that by default this restricts the origin to be coming from the CloudFront worker itself - see here

If you change line 13 to be:

 response.headers.set('Access-Control-Allow-Origin', '*')

It then works from a different origin e.g. an observablehq notebook or your personal website.

A specific working example (with url of worker changed) could be :

f=  fetch("https://red-wave-c10f.myworkerpath.workers.dev/corsproxy/?apiurl=https://api.worldbank.org/countries/all/indicators/TX.VAL.MRCH.CD.WT?date=2014%3A2014%26format=json%26per_page=1000"").then(function(d) {return d.json()})

Thanks

Re: Cloudflare workers - here's how to set it up:

CloudFront have released an 'official' CORS proxy here

Raw code here

You just need to copy and paste that into a new worker.

Note that by default this restricts the origin to be coming from the CloudFront worker itself - see here

If you change line 13 to be:

 response.headers.set('Access-Control-Allow-Origin', '*')

It then works from a different origin e.g. an observablehq notebook or your personal website.

A specific working example (with url of worker changed) could be :

f=  fetch("https://red-wave-c10f.myworkerpath.workers.dev/corsproxy/?apiurl=https://api.worldbank.org/countries/all/indicators/TX.VAL.MRCH.CD.WT?date=2014%3A2014%26format=json%26per_page=1000"").then(function(d) {return d.json()})

@RobinL , Just wanted to ask, do I need to change something else in the code, to get this working, because it's giving "CORS header ‘Access-Control-Allow-Origin’ missing" even after changin to ('Access-Control-Allow-Origin', '*') thing.
I just want to setup an open cors proxy

Update:
ok, I get it, line no 3 , was causing the problem for me:

const apiurl = url.searchParams.get('apiurl')

Lets say I use
https://www.google.com/search?&q=marine
it will be stripped to https://www.google.com/search and that was causing the problem.

I will see how to fix this

Update2:
I changed line no 3 to const apiurl = unescape(unescape(url.search.substr(8))); and that seems to work fine
I referred : https://github.com/Zibri/cloudflare-cors-anywhere/blob/2f5bae4c00bac89018e2ae7edc860ecba2a2223b/index.js#L48

Thanks, that's great. I had been using the workaround of manual unescaping. Your solution is much better

To add to the table above, there's also JSONProxy.

Today i have experiment with raw tcp + websocket as a proxy

The problem with cors, browsers and proxies are that they put too much restriction on you and you can't do everything you want to do

here is what i have done so far: https://codesandbox.io/s/late-moon-5mck1

it's basically a reimplementation of fetch with custom redirect mode can send and read all response forbidden headers and support any http method you want

Would be happy to develop this further if someone else knows how someone can reimplement http2, QUIC, TLS 1.3 in the browser using web crypto - that is just beyond my knowledge.

cloudflare has request limit of 100,000, per day, we can increase that to 5 million per day, by fetching multiple requests at the same time.
You can refer the code here:
https://github.com/fawazahmed0/cloudflare-multi-cors-proxy

Do I need a personal server to use cloudflare? My website is on a free web hosting.

Do I need a personal server to use cloudflare? My website is on a free web hosting.

no, not required for cloudflare workers

No , a normal server is fine, free or paid... Sent from Yahoo Mail on Android On Fri, Jan 8, 2021 at 20:30, Fawaz Ahmed<notifications@github.com> wrote: @fawazahmed0 commented on this gist. Do I need a personal server to use cloudflare? My website is on a free web hosting. no, not required for cloudflare workers — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

Is it possible to use cloudflare for all the chunks in a m3u8 file?

I am not sure but it sgould work as lomg as the videos are accesible. Sent from Yahoo Mail on Android On Sun, Jan 10, 2021 at 23:44, joaopa00<notifications@github.com> wrote: @joaopa00 commented on this gist. Is it possible to use cloudflare for all the chunks in a m3u8? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

@fawazahmed0 Thank you for sharing a special code. Works for all pages except Google: is there a solution?
var arr = ["https://www.google.com/search?q=test"] fetch('https://Test-Name.username.workers.dev',{ method: 'POST', body: JSON.stringify(arr) }) .then(response => response.text()) .then(data => console.log(data))

Can you develop the code to do that.
and avoid Same-origin policy problems. Like : https://allorigins.win/

@fawazahmed0 Thank you for sharing a special code. Works for all pages except Google: is there a solution?
var arr = ["https://www.google.com/search?q=test"] fetch('https://Test-Name.username.workers.dev',{ method: 'POST', body: JSON.stringify(arr) }) .then(response => response.text()) .then(data => console.log(data))

Can you develop the code to do that.
and avoid Same-origin policy problems. Like : https://allorigins.win/

For sites like Google, you can use cors-anywhere by Rob Wu, here is the link to my fork: Fork

You just have to click on Deploy to Heroku Button

@jimmywarting Can you put https://cors.bridged.cc on the table?

medium: https://medium.com/bridgedxyz/cors-anywhere-for-everyone-free-reliable-cors-proxy-service-73507192714e
github: https://github.com/bridgedxyz/services

@softmarshmallow Will do!

Do you know if they allow sending/reading headers in some other form other than directly onto the request headers?
Browsers blocks some request headers from being sent & read

Another issue that one of my private CORS proxy is solving is the ability to set/remove certain headers on the request/response

new Headers({
   // send a cookie that is forbidden otherwise
  'x-cors-set-request-headers': 'cookie: value',

  // pretend that i'm making a request from another origin
  'x-cors-set-request-headers': 'origin: example.com',

  // Remove restriction that don't allow page to work in a iframe
  'x-cors-delete-response-headers': 'csp', 
  'x-cors-delete-response-headers': 'X-Frame-Options',

  // override text/plain so it can render properly
  'x-cors-set-response-headers': "content-type: text/html"
})

i know that some REST Apis with CORS enabled already exist but they really limit it to there own domain by checking if
http://example.com is allowed to make request to http://api.example.com by looking at the origin header so there is no way to fake that I'm making a request from http://example.com if i'm not allowed to set a forbidden header origin

The "I don't want to host this myself" state of affairs April 2021:

• CORS Bridged: Requires signup
• cors-anywhere: Requires opt in
• cors-anywhere glitch: Suspended
• thingproxy: Wrong link, dead anyway
• whateverorigin: Dead
• gobetween: Dead
• goxcors: Dead
• Yacdn: Dead
• Allorigins: Works (some gzip issues)
• Cloudflare CORS: Broken
• JSON Proxy: Dead

This list was shared/copied a lot, probably the reason why many is dead now.

and most of the shared repo here for cloudflare workers are not working anymore but glad I found all origins, it saved me a lot of time. Cloudflare-cors-anywhere doens't work with cloudflare workers that returns a json body due to 403 forbidden headers (when I do the fetch inside the worker panel it works fine) but it works on graphql queries though from my use case

I just made this with almost all the options that @jimmywarting suggested. Haven't tested much but it should works :)

Can you add https://corsproxy.io? It's made by my company and many other companies use it to develop javascript applications. It's made in Germany, 100% gdpr compliant and runs on a global CDN. We currently serve 2.5 Mio requests per day :)

Can you add https://corsproxy.io? It's made by my company and many other companies use it to develop javascript applications. It's made in Germany, 100% gdpr compliant and runs on a global CDN. We currently serve 2.5 Mio requests per day :)

Looks promising, it would be really nice if it has query options to modify the proxy request like adding or removing headers. Great work!

Looks promising, it would be really nice if it has query options to modify the proxy request like adding or removing headers. Great work!

Thank you for the feedback! We‘ll definitively add this feature. It may takes two to three weeks :)

👍 for https://corsproxy.io

Site is awesome.

Can we find documentation about this https://corsproxy.io/ @mariusbolik .

Can you add https://corsproxy.io? It's made by my company and many other companies use it to develop javascript applications. It's made in Germany, 100% gdpr compliant and runs on a global CDN. We currently serve 2.5 Mio requests per day :)

is it safe to use

@vsn530 Assuming Marius was being 100% honest (I don't doubt he was), the claim is thei're GDPR compliant and have no logs. (which if they're based in Germany, violating is a hefty fine!), but anyway you shouldn't be sending highly confidential data/credentials through a free proxy you don't own.

@vsn530 Assuming Marius was being 100% honest (I don't doubt he was), the claim is thei're GDPR compliant and have no logs. (which if they're based in Germany, violating is a hefty fine!), but anyway you shouldn't be sending highly confidential data/credentials through a free proxy you don't own.

To avoid that you should just setup your own server. The corsproxy.io just for things that don't contain important data and not worth to create a server for them.

By the way I'm still waiting for their request headers modify feature ;D

@softmarshmallow unfortunately I tried your service and you're not setting the right headers for me to make requests from the frontend

@sw-yx cors.bridged.cc requires an API key now see gridaco/base#23 for more information