Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Cors proxies
Service SSL status Response Type Allowed methods Allowed headers Exposed headers Follow redirect Streamable WebSocket Upload limit Download limit Country code Comments
CORS bridged Mirrored Raw * All but expect Forbidden headers 16mb/request US (CA) Blog for docs & Testing
cors-anywhere Mirrored Raw * * * Up to 5x US Require Origin header
cors-anywhere @ glitch Mirrored Raw source
thingproxy * 100kb 100kb US Max 10 req/sec
Whatever Origin jsonp GET None None US
Go Between
goxcors Allways 200 Raw * * None US POST type is limited to x-www-form-urlencoded
Have a werd api
Response Type is Allways text/html
YaCDN Not mirrored Raw GET None Up to 22x FR CDN, ignores browsers headers
All Origins Only code in json Json, jsonp, Raw * None US When using raw you loose status information
Cloudflare Cors Anywhere Only code mirror (not statusText) Raw * All but expect Forbidden headers none none none 100,000 requests/day 1,000 requests/10 minutes
JSONProxy GET

Possible dead

cors.io Only code mirror Raw GET, HEAD US
crossorigin.me GET 2MB 2MB US Require Origin header
HTML Driven
Taskcluster * US All request must be made within the request body
Only whitelisted for taskcluster
anyorigin jsonp GET none none US
@jimmywarting

This comment has been minimized.

Copy link
Owner Author

@jimmywarting jimmywarting commented May 1, 2019

For CORS creator

A good cors proxy should

  • allow requested method & headers in preflight request
res.header('Access-Control-Allow-Methods', req.header('Access-Control-Request-Method'))
res.header('Access-Control-Allow-Headers', req.header('Access-Control-Request-Headers')) 
  • Send back
    • responseCode as is
    • responseText as is
    • raw data (in case someone wants to work with binary)
    • and expose all response header that came from making the request
      (and potentially prefix set-cookie & location with something)
  • dose not use example.com/https://google.com but instead uses example.com/?url=https%3A%2F%2Fgoogle.com
    which allows for more option like
    • overriding method
      • &method=POST
    • ignoring headers sent by the browser
      • &ignoreReqHeaders=true // don't forward any headers sent by browser automatically
    • set, delete or append request/response headers that would allow you to send forbidden headers
      • &appendReqHeaders=[['cookie', 'x-foo']] send an additional cookie
      • &appendResHeaders=[['content-type', 'text/javascript']] append a response header to make script executable.
      • &setResHeaders=[['content-type', 'text/plain']]] replaces content-type to make everything more secure
      • &deleteReqHeaders=['origin'] don't send origin (which some cors api checks for)
    • control redirect (some want to read headers that are sent in the redirect)
      • &followRedirect=false
    • putting the body in url for some reason
      • &body=abc

I have speculated around using WebSocket as a proxy with very low networking level that allows you to do anything from both crafting and reading the raw bits. If someone dose something like this let me know

var ws = new WebSocket(proxyurl)
ws.send(`
POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

licenseID=string&content=string&/paramsXML=string
`)
@RobinL

This comment has been minimized.

Copy link

@RobinL RobinL commented May 2, 2020

Re: Cloudflare workers - here's how to set it up:

CloudFront have released an 'official' CORS proxy here

Raw code here

You just need to copy and paste that into a new worker.

Note that by default this restricts the origin to be coming from the CloudFront worker itself - see here

If you change line 13 to be:

 response.headers.set('Access-Control-Allow-Origin', '*')

It then works from a different origin e.g. an observablehq notebook or your personal website.

A specific working example (with url of worker changed) could be :

f=  fetch("https://red-wave-c10f.myworkerpath.workers.dev/corsproxy/?apiurl=https://api.worldbank.org/countries/all/indicators/TX.VAL.MRCH.CD.WT?date=2014%3A2014%26format=json%26per_page=1000"").then(function(d) {return d.json()})
@FWDEsing

This comment has been minimized.

Copy link

@FWDEsing FWDEsing commented May 2, 2020

Thank you but this is beyond my skills. I just installed PHP core proxy directly on my server and it works...

@JohnTrabusca

This comment has been minimized.

Copy link

@JohnTrabusca JohnTrabusca commented May 4, 2020

Thank you but this is beyond my skills. I just installed PHP core proxy directly on my server and it works...

Can you share the PHP core proxy, I'm in extreme need of something like this. Thanks in Advance @FWDEsing

@FWDEsing

This comment has been minimized.

Copy link

@FWDEsing FWDEsing commented May 4, 2020

@JohnTrabusca

This comment has been minimized.

Copy link

@JohnTrabusca JohnTrabusca commented May 4, 2020

@JohnTrabusca

This is how I did it https://www.youtube.com/watch?v=4-tkyuwhs2Y

Thanks man, really appreciated :)

@fawazahmed0

This comment has been minimized.

Copy link

@fawazahmed0 fawazahmed0 commented May 8, 2020

Re: Cloudflare workers - here's how to set it up:

CloudFront have released an 'official' CORS proxy here

Raw code here

You just need to copy and paste that into a new worker.

Note that by default this restricts the origin to be coming from the CloudFront worker itself - see here

If you change line 13 to be:

 response.headers.set('Access-Control-Allow-Origin', '*')

It then works from a different origin e.g. an observablehq notebook or your personal website.

A specific working example (with url of worker changed) could be :

f=  fetch("https://red-wave-c10f.myworkerpath.workers.dev/corsproxy/?apiurl=https://api.worldbank.org/countries/all/indicators/TX.VAL.MRCH.CD.WT?date=2014%3A2014%26format=json%26per_page=1000"").then(function(d) {return d.json()})

Thanks

@fawazahmed0

This comment has been minimized.

Copy link

@fawazahmed0 fawazahmed0 commented May 8, 2020

Re: Cloudflare workers - here's how to set it up:

CloudFront have released an 'official' CORS proxy here

Raw code here

You just need to copy and paste that into a new worker.

Note that by default this restricts the origin to be coming from the CloudFront worker itself - see here

If you change line 13 to be:

 response.headers.set('Access-Control-Allow-Origin', '*')

It then works from a different origin e.g. an observablehq notebook or your personal website.

A specific working example (with url of worker changed) could be :

f=  fetch("https://red-wave-c10f.myworkerpath.workers.dev/corsproxy/?apiurl=https://api.worldbank.org/countries/all/indicators/TX.VAL.MRCH.CD.WT?date=2014%3A2014%26format=json%26per_page=1000"").then(function(d) {return d.json()})

@RobinL , Just wanted to ask, do I need to change something else in the code, to get this working, because it's giving "CORS header ‘Access-Control-Allow-Origin’ missing" even after changin to ('Access-Control-Allow-Origin', '*') thing.
I just want to setup an open cors proxy

Update:
ok, I get it, line no 3 , was causing the problem for me:

const apiurl = url.searchParams.get('apiurl')

Lets say I use
https://www.google.com/search?&q=marine
it will be stripped to https://www.google.com/search and that was causing the problem.

I will see how to fix this

Update2:
I changed line no 3 to const apiurl = unescape(unescape(url.search.substr(8))); and that seems to work fine
I referred : https://github.com/Zibri/cloudflare-cors-anywhere/blob/2f5bae4c00bac89018e2ae7edc860ecba2a2223b/index.js#L48

@RobinL

This comment has been minimized.

Copy link

@RobinL RobinL commented May 8, 2020

Thanks, that's great. I had been using the workaround of manual unescaping. Your solution is much better

@TheLastZombie

This comment has been minimized.

Copy link

@TheLastZombie TheLastZombie commented May 11, 2020

To add to the table above, there's also JSONProxy.

@jimmywarting

This comment has been minimized.

Copy link
Owner Author

@jimmywarting jimmywarting commented May 17, 2020

Today i have experiment with raw tcp + websocket as a proxy

The problem with cors, browsers and proxies are that they put too much restriction on you and you can't do everything you want to do

here is what i have done so far: https://codesandbox.io/s/late-moon-5mck1

it's basically a reimplementation of fetch with custom redirect mode can send and read all response forbidden headers and support any http method you want

Would be happy to develop this further if someone else knows how someone can reimplement http2, QUIC, TLS 1.3 in the browser using web crypto - that is just beyond my knowledge.

@fawazahmed0

This comment has been minimized.

Copy link

@fawazahmed0 fawazahmed0 commented Jun 21, 2020

cloudflare has request limit of 100,000, per day, we can increase that to 5 million per day, by fetching multiple requests at the same time.
You can refer the code here:
https://github.com/fawazahmed0/cloudflare-multi-cors-proxy

@joaopa00

This comment has been minimized.

Copy link

@joaopa00 joaopa00 commented Jan 8, 2021

Do I need a personal server to use cloudflare? My website is on a free web hosting.

@fawazahmed0

This comment has been minimized.

Copy link

@fawazahmed0 fawazahmed0 commented Jan 8, 2021

Do I need a personal server to use cloudflare? My website is on a free web hosting.

no, not required for cloudflare workers

@FWDEsing

This comment has been minimized.

Copy link

@FWDEsing FWDEsing commented Jan 8, 2021

@joaopa00

This comment has been minimized.

Copy link

@joaopa00 joaopa00 commented Jan 10, 2021

Is it possible to use cloudflare for all the chunks in a m3u8 file?

@FWDEsing

This comment has been minimized.

Copy link

@FWDEsing FWDEsing commented Jan 11, 2021

@SpyShare

This comment has been minimized.

Copy link

@SpyShare SpyShare commented Jan 22, 2021

@fawazahmed0 Thank you for sharing a special code. Works for all pages except Google: is there a solution?
var arr = ["https://www.google.com/search?q=test"] fetch('https://Test-Name.username.workers.dev',{ method: 'POST', body: JSON.stringify(arr) }) .then(response => response.text()) .then(data => console.log(data))

Can you develop the code to do that.
and avoid Same-origin policy problems. Like : https://allorigins.win/

@fawazahmed0

This comment has been minimized.

Copy link

@fawazahmed0 fawazahmed0 commented Jan 22, 2021

@fawazahmed0 Thank you for sharing a special code. Works for all pages except Google: is there a solution?
var arr = ["https://www.google.com/search?q=test"] fetch('https://Test-Name.username.workers.dev',{ method: 'POST', body: JSON.stringify(arr) }) .then(response => response.text()) .then(data => console.log(data))

Can you develop the code to do that.
and avoid Same-origin policy problems. Like : https://allorigins.win/

For sites like Google, you can use cors-anywhere by Rob Wu, here is the link to my fork: Fork

You just have to click on Deploy to Heroku Button

@jimmywarting

This comment has been minimized.

Copy link
Owner Author

@jimmywarting jimmywarting commented Feb 14, 2021

@softmarshmallow Will do!

Do you know if they allow sending/reading headers in some other form other than directly onto the request headers?
Browsers blocks some request headers from being sent & read

Another issue that one of my private CORS proxy is solving is the ability to set/remove certain headers on the request/response

new Headers({
   // send a cookie that is forbidden otherwise
  'x-cors-set-request-headers': 'cookie: value',

  // pretend that i'm making a request from another origin
  'x-cors-set-request-headers': 'origin: example.com',

  // Remove restriction that don't allow page to work in a iframe
  'x-cors-delete-response-headers': 'csp', 
  'x-cors-delete-response-headers': 'X-Frame-Options',

  // override text/plain so it can render properly
  'x-cors-set-response-headers': "content-type: text/html"
})

i know that some REST Apis with CORS enabled already exist but they really limit it to there own domain by checking if
http://example.com is allowed to make request to http://api.example.com by looking at the origin header so there is no way to fake that I'm making a request from http://example.com if i'm not allowed to set a forbidden header origin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment