Comments (2)
Rob--W
commented on May 29, 2024
1
This is mostly done for security reasons. When withCredentials is enabled, things like cookies are automatically included in each request. Cookies are tied to (sub)domains and optionally a specific path. CORS Anywhere has a single domain, so allowing credentials would result in leakage of cookies between proxied sites.
Technically, it would be possible to parse cookies and modify the target domain and path of the cookie, but then there is another problem: If multiple sites use the same CORS Anywhere domain with cookies, then the per-domain cookie size limit will prevent cookies from working correctly.
And please note that even if withCredentials were to be supported for CORS Anywhere, then the users' cookies for the proxied site are not included in the request (because from the browser's perspective, CORS Anywhere is not the same domain as proxied site, cors-anywhere.herokuapp.com/example.com vs example.com).
If you need authentication, check if the proxied site supports authentication via headers, e.g. via Basic Authorization or API keys.
from cors-anywhere.
munsuri
commented on May 29, 2024
Thank you very much for the quick answer and clear explanations.
I was indeed after (seamlessly) authentication by cookie 'redirection' but from your comments it doesn't seem ideal solution anymore. Will go with your suggestion of authentication via headers.
Furthermore in your debt and very much grateful.
Regards
from cors-anywhere.
Related Issues (20)
- Does not work in Deno (TypeError on every request) HOT 1
- 400 Bad Request HOT 1
- Update HTTP-Proxy to 1.18.1 to resolve https://github.com/advisories/GHSA-6x33-pw7p-hmpq HOT 1
- Redirects ruining GET parameters using axios HOT 2
- how to block specific final link not origin
- cors-anywhere doesn't work with youtube m3u8 files HOT 1
- Error creating app on Heroku website HOT 2
- API domain name resolution problem HOT 1
- performance problem, cors-anywhere doesn't use outbound HTTP keep-alive HOT 1
- s anywhere
- Question about whitelisting HOT 1
- getting an Uncaught (in promise) SyntaxError HOT 1
- Authorization error HOT 1
- Whitelisting subdomain doesn't work as expected
- see the CI test #271 #273
- cors anywhere not working on vercel HOT 1
- add option to add auth header for sites like reddit HOT 1
- Siteye kurulum
- live radio use case: Missing required request header. Must specify one of: origin,x-requested-with HOT 4
- Not found because of proxy error: AggregateError
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors-anywhere.