Skip to content

Instantly share code, notes, and snippets.

@tobihans

tobihans/README.md

Forked from jhass/README.md
Created December 6, 2023 06:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tobihans/e7fe80bb1bfbf61899c602471f371ea1 to your computer and use it in GitHub Desktop.
Save tobihans/e7fe80bb1bfbf61899c602471f371ea1 to your computer and use it in GitHub Desktop.
Download ZIP
Proxy to remote server with CORS support
Raw
README.md

cors.py for mitmproxy

Hacking CORS restriction to enable in-browser XHR to any server.

Usage

Say you are running an web app at localhost, and you want to send XHR to http://remote-server:80, but the CORS restriction forbids access because you are sending requests from an origin that remote-server:80 does not allow.

Run:

mitmproxy -s cors.py -R http://remote-server:80 -b localhost -p 8080

Now localhost:8080 is tunnelled to remote-server:80.

And you can XHR to proxied server from localhost:

fetch("http://localhost:8080/api.json")
  .then(function(response) {
    // enjoy the response
  });

Bonus: You can inspect HTTP requests in mitmproxy.

Raw
cors.py
from mitmproxy import http
def response(flow):
flow.response.headers["Access-Control-Allow-Origin"] = "*"
# Use this if the application sends auth info via header
flow.response.headers["Access-Control-Expose-Headers"] = "Authorization"
def request(flow):
# Hijack CORS OPTIONS request
if flow.request.method == "OPTIONS":
flow.response = http.Response.make(200, b"",
{"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET,POST",
"Access-Control-Allow-Headers": "Authorization",
"Access-Control-Max-Age": "1728000"})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment