Cors proxies

readme.md

Service	SSL	status	Response Type	Allowed methods	Allowed headers	Exposed headers	Follow redirect	Streamable	WebSocket	Upload limit	Download limit	Country code	Comments
cors-anywhere	✅	Mirrored	Raw	*	*	*	Up to 5x	❓	❓	❓	❓	US	Require Origin header
cors-anywhere @ glitch	✅	Mirrored	Raw	❓	❓	❓	❓	❓	❓	❓	❓	❓	source
crossorigin.me	✅	❓	❓	GET	❓	❓	❓	❓	❓	2MB	2MB	US	Require Origin header
HTML Driven	✅	❓	❓	❓	❓	❓	❓	❓	❓	❓	❓	❓
Taskcluster	✅	❓	❓	*	❓	❓	❓	❓	❓	❓	❓	US	All request must be made within the request body Only whitelisted for taskcluster
anyorigin	❌	❓	jsonp	GET	none	none	❓	❌	❌	❌	❓	US
thingproxy	✅	❓	❓	*	❓	❓	❓	❓	❓	100kb	100kb	US	Max 10 req/sec
Whatever Origin	❌	❌	jsonp	GET	None	None	❓	❌	❌	❓	❓	US
cors.io	✅	Only code mirror	Raw	GET, HEAD	❓	❓	✅	❓	❓	❓	❓	US
Go Between	✅	❓	❓	❓	❓	❓	❓	❓	❓	❓	❓	❓
goxcors	✅	Allways 200	Raw	*	*	None	✅	❓	❓	❓	❓	US	POST type is limited to x-www-form-urlencoded Have a werd api Response Type is Allways text/html
YaCDN	✅	Not mirrored	Raw	GET	None	❌	Up to 22x	❓	❓	❓	❓	FR	CDN, ignores browsers headers
All Origins	✅	Only code in json	Json, jsonp, Raw	*	❌	None	✅	❓	❓	❓	❓	US	When using raw you loose status information
Cloudflare Cors Anywhere	✅	Only code mirror (not statusText)	Raw	*	All but expect Forbidden headers	none	✅	❌	❓	none	none	❓	100,000 requests/day 1,000 requests/10 minutes
JSONProxy	✅	❓	❓	GET	❓	❓	❓	❓	❓	❓	❓	❓

For CORS creator

A good cors proxy should

• allow requested method & headers in preflight request

res.header('Access-Control-Allow-Methods', req.header('Access-Control-Request-Method'))
res.header('Access-Control-Allow-Headers', req.header('Access-Control-Request-Headers')) 

• Send back
  • responseCode as is
  • responseText as is
  • raw data (in case someone wants to work with binary)
  • and expose all response header that came from making the request
    (and potentially prefix set-cookie & location with something)
• dose not use example.com/https://google.com but instead uses example.com/?url=https%3A%2F%2Fgoogle.com
  which allows for more option like
  • overriding method
    • &method=POST
  • ignoring headers sent by the browser
    • &ignoreReqHeaders=true // don't forward any headers sent by browser automatically
  • set, delete or append request/response headers that would allow you to send forbidden headers
    • &appendReqHeaders=[['cookie', 'x-foo']] send an additional cookie
    • &appendResHeaders=[['content-type', 'text/javascript']] append a response header to make script executable.
    • &setResHeaders=[['content-type', 'text/plain']]] replaces content-type to make everything more secure
    • &deleteReqHeaders=['origin'] don't send origin (which some cors api checks for)
  • control redirect (some want to read headers that are sent in the redirect)
    • &followRedirect=false
  • putting the body in url for some reason
    • &body=abc

I have speculated around using WebSocket as a proxy with very low networking level that allows you to do anything from both crafting and reading the raw bits. If someone dose something like this let me know

var ws = new WebSocket(proxyurl)
ws.send(`
POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

licenseID=string&content=string&/paramsXML=string
`)

P.S.

Instead of using someone else's, make you own, it will be stable and really fast!!
Learn how here: https://github.com/Zibri/cloudflare-cors-anywhere

Don't use the demo url, just make your own on cloudflare.
Abuse (other than testing) of the demo will result in a ban.
The demo accepts only fetch and xmlhttprequest do not try it directly.

Instead of using someone else's, make you own, it will be stable and really fast!!
Learn how here: https://github.com/Zibri/cloudflare-cors-anywhere

@Zibri Thanks for sharing. I arrived here thinking the same thing... for CORS, it's risky to rely on any of these fly-by-night services that are outside of your control, as they could stop functioning without warning. And I think it's becoming such a common thing that projects need, that it is sensible for there to just be a utility to mix in to one's own infrastructure.

Cheers :)

@morpc-gohio

Instead of using someone else's, make you own, it will be stable and really fast!!
Learn how here: https://github.com/Zibri/cloudflare-cors-anywhere

P.S.
Don't use the demo url, just make your own on cloudflare.
Abuse (other than testing) of the demo will result in a ban.
The demo accepts only fetch and xmlhttprequest do not try it directly.

I thinking the same idea after reading many articles and forums. It seems to be a great solution if running your own proxy server. till i met this, you did something great! also thanks..

@adisa555 I am very glad that someone undesrtood why that was important and apreciated it.

(Instead many used just the demo like if was just a free services, but the demo has a slightly different code, logs everything and bans people very easily...heheheheh)

@emjayess thanks for your words ... until now it seemed nobody really cared nor understood.

by the way, with a little modification it could be made streamable too...

To make something streamable you have to

• Make a duplex stream from A <-> B
• You should for example be able to listen to a live .pls radio channel that never ends in a <audio> tag
• the upload body should be piped to the destination without keeping everything in the memory

Yes.. but with cloudflare is very easy to do is just 2-3 lines of code.
See here: https://workers.cloudflare.com/docs/reference/runtime/apis/streams/

@Zibri the cloudflare worker concept is awesome!
i once tried to implement something like it in node. (using node-fetch, fetch-event & fetch-cachestorage) but got abandoned due to some blocking node-fetch issue
maybe will start using cloudflare

cors.io - seems to be dead.

All of them look DEAD

crossorigin.me appears to be gone.

I need a server that can load shoutcast json and also mp3 streams, can anybody help me, willing to pay for it.

tibi_diablo@yahoo.com

Re: Cloudflare workers - here's how to set it up:

CloudFront have released an 'official' CORS proxy here

Raw code here

You just need to copy and paste that into a new worker.

Note that by default this restricts the origin to be coming from the CloudFront worker itself - see here

If you change line 13 to be:

 response.headers.set('Access-Control-Allow-Origin', '*')

It then works from a different origin e.g. an observablehq notebook or your personal website.

A specific working example (with url of worker changed) could be :

f=  fetch("https://red-wave-c10f.myworkerpath.workers.dev/corsproxy/?apiurl=https://api.worldbank.org/countries/all/indicators/TX.VAL.MRCH.CD.WT?date=2014%3A2014%26format=json%26per_page=1000"").then(function(d) {return d.json()})

Thank you but this is beyond my skills. I just installed PHP core proxy directly on my server and it works...

Thank you but this is beyond my skills. I just installed PHP core proxy directly on my server and it works...

Can you share the PHP core proxy, I'm in extreme need of something like this. Thanks in Advance @FWDEsing

@JohnTrabusca

This is how I did it https://www.youtube.com/watch?v=4-tkyuwhs2Y

@JohnTrabusca

This is how I did it https://www.youtube.com/watch?v=4-tkyuwhs2Y

Thanks man, really appreciated :)

Re: Cloudflare workers - here's how to set it up:

CloudFront have released an 'official' CORS proxy here

Raw code here

You just need to copy and paste that into a new worker.

Note that by default this restricts the origin to be coming from the CloudFront worker itself - see here

If you change line 13 to be:

 response.headers.set('Access-Control-Allow-Origin', '*')

It then works from a different origin e.g. an observablehq notebook or your personal website.

A specific working example (with url of worker changed) could be :

f=  fetch("https://red-wave-c10f.myworkerpath.workers.dev/corsproxy/?apiurl=https://api.worldbank.org/countries/all/indicators/TX.VAL.MRCH.CD.WT?date=2014%3A2014%26format=json%26per_page=1000"").then(function(d) {return d.json()})

Thanks

Re: Cloudflare workers - here's how to set it up:

CloudFront have released an 'official' CORS proxy here

Raw code here

You just need to copy and paste that into a new worker.

Note that by default this restricts the origin to be coming from the CloudFront worker itself - see here

If you change line 13 to be:

 response.headers.set('Access-Control-Allow-Origin', '*')

It then works from a different origin e.g. an observablehq notebook or your personal website.

A specific working example (with url of worker changed) could be :

f=  fetch("https://red-wave-c10f.myworkerpath.workers.dev/corsproxy/?apiurl=https://api.worldbank.org/countries/all/indicators/TX.VAL.MRCH.CD.WT?date=2014%3A2014%26format=json%26per_page=1000"").then(function(d) {return d.json()})

@RobinL , Just wanted to ask, do I need to change something else in the code, to get this working, because it's giving "CORS header ‘Access-Control-Allow-Origin’ missing" even after changin to ('Access-Control-Allow-Origin', '*') thing.
I just want to setup an open cors proxy

Update:
ok, I get it, line no 3 , was causing the problem for me:

const apiurl = url.searchParams.get('apiurl')

Lets say I use
https://www.google.com/search?&q=marine
it will be stripped to https://www.google.com/search and that was causing the problem.

I will see how to fix this

Update2:
I changed line no 3 to const apiurl = unescape(unescape(url.search.substr(8))); and that seems to work fine
I referred : https://github.com/Zibri/cloudflare-cors-anywhere/blob/2f5bae4c00bac89018e2ae7edc860ecba2a2223b/index.js#L48

Thanks, that's great. I had been using the workaround of manual unescaping. Your solution is much better

To add to the table above, there's also JSONProxy.

Today i have experiment with raw tcp + websocket as a proxy

The problem with cors, browsers and proxies are that they put too much restriction on you and you can't do everything you want to do

here is what i have done so far: https://codesandbox.io/s/late-moon-5mck1

it's basically a reimplementation of fetch with custom redirect mode can send and read all response forbidden headers and support any http method you want

Would be happy to develop this further if someone else knows how someone can reimplement http2, QUIC, TLS 1.3 in the browser using web crypto - that is just beyond my knowledge.

cloudflare has request limit of 100,000, per day, we can increase that to 5 million per day, by fetching multiple requests at the same time.
You can refer the code here:
https://github.com/fawazahmed0/cloudflare-multi-cors-proxy