JS Bin Proxy

jsbin-proxy.js

var http = require('http');
var urlParse = require('url').parse;

var PORT = process.env.PORT || 3000;

http.createServer(function(req, res) {
  var info = urlParse(req.url);

  if (req.method != 'GET') {
    res.writeHead(405);
    return res.end("Method Not Allowed");
  }

  if (req.url == '/' || /edit\/?$/.test(req.url)) {
    res.writeHead(200);
    return res.end("This proxy is intended only for viewing " +
                   "jsbin creations, not editing them.");
  }

  var req = http.request({
    hostname: 'jsbin.com',
    path: req.url
  }, function(jsbinRes) {
    if (jsbinRes.statusCode == 200 &&
        /^text\/html/.test(jsbinRes.headers['content-type'])) {
      res.writeHead(200, {
        'Content-Type': jsbinRes.headers['content-type'],
        'Content-Length': jsbinRes.headers['content-length'],
        'X-Robots-Tag': jsbinRes.headers['x-robots-tag']
      });
      return jsbinRes.pipe(res);
    }
    res.writeHead(404);
    res.end("Not Found");
  });
  req.on('error', function(e) {
    res.writeHead(502);
    res.end("502 Bad Gateway");
  });
  req.end();
}).listen(PORT, function() {
  console.log("listening on port " + PORT);
});

This is a simple proxy for JS Bin that serves its creations without the X-Frame-Options header that prevents other sites like Minicade from embedding them. Because the proxy accesses the creations anonymously, doesn't transfer cookies, and actively prevents users from using the site to log in and edit things, there hopefully shouldn't be any security risks with this approach.

This script has been deployed at jsbin-proxy.herokuapp.com and is used to fix toolness/minicade#15.