Comments (4)
PR #52 adds the option to reflect the origin.
Note that CORS Anywhere should not be used with Access-Control-Allow-Credentials: true
, because it would allow other (proxied) domains to see the cookies and other credentials of other proxied domains.
from cors-anywhere.
Note that CORS Anywhere should not be used with
Access-Control-Allow-Credentials: true
, because it would allow other (proxied) domains to see the cookies and other credentials of other proxied domains.
It's not clear what you meant there.
There seems to be no reason to not set Access-Control-Allow-Credentials: true
which requires Access-Control-Allow-Credentials
not being equal to *
but instead set to request.headers['Origin']
.
https://fetch.spec.whatwg.org/
Otherwise cookies won't work.
My fix is to edit ./lib/cors-anywhere.js
and replace headers['access-control-allow-origin'] = '*'
with headers['access-control-allow-origin'] = request.headers['origin']
and add headers['access-control-allow-credentials'] = true;
after it. This seems to fix cookies when using fetch({ mode: 'cors', credentials: 'include' })
.
from cors-anywhere.
@catamphetamine Cookies by browsers are send to a specific domain. When you enable credentials on CORS Anywhere, the cookies set by one proxied site are sent to every other proxied website, because every request from the browser goes to the CORS Anywhere domain. This is a huge security issue, and therefore I strongly discourage the use of credentials with CORS Anywhere.
The only situation where your proposal is acceptable is when your CORS Anywhere proxy is configured to only accept requests to one destination. But that requires more efforts, in particular you need to account for redirects (and strip cookies on redirects, OR not automatically follow redirects).
from cors-anywhere.
Cookies by browsers are send to a specific domain. When you enable credentials on CORS Anywhere, the cookies set by one proxied site are sent to every other proxied website, because every request from the browser goes to the CORS Anywhere domain. This is a huge security issue, and therefore I strongly discourage the use of credentials with CORS Anywhere.
Hmm, I see, so all cookies for multiple proxied domains would end up being set on "CORS Anywhere" domain.
That's a security issue indeed.
Still, if such "CORS Anywhere" instance is configured to only allow proxying a certain origin, there would be no risks involved because an attacker couldn't make it forward HTTP requests to their site to read the cookies.
For example, where you have:
var location = parseURL(req.url.slice(1));
Some kind of an isAllowedOrigin(location.origin)
function call could be added (along with the setting).
Another protection from this kind of attacks is configuring originWhitelist
so that an attacker would be denied access to a "CORS Anywhere" instance because they can't host a page at such origin.
The only situation where your proposal is acceptable is when your CORS Anywhere proxy is configured to only accept requests to one destination. But that requires more efforts, in particular you need to account for redirects (and strip cookies on redirects, OR not automatically follow redirects).
I don't need any redirects.
I'm fine with redirectless approach.
So, to conclude, there's no valid reason to disallow cookies in this library.
There could be a requirement of having only a single whitelisted origin if credentials: true
option is passed.
At init:
if (corsAnywhere.credentials) {
if (corsAnywhere.originWhitelist.length !== 1) {
throw new Error('Only a single whitelisted origin is allowed when using credentials.')
}
}
In code:
if (corsAnywhere.credentials) {
headers['access-control-allow-origin'] = request.headers['origin']
headers['access-control-allow-credentials'] = true
} else {
headers['access-control-allow-origin'] = '*'
}
from cors-anywhere.
Related Issues (20)
- Does not work in Deno (TypeError on every request) HOT 1
- 400 Bad Request HOT 1
- Update HTTP-Proxy to 1.18.1 to resolve https://github.com/advisories/GHSA-6x33-pw7p-hmpq HOT 1
- Redirects ruining GET parameters using axios HOT 2
- how to block specific final link not origin
- cors-anywhere doesn't work with youtube m3u8 files HOT 1
- Error creating app on Heroku website HOT 2
- API domain name resolution problem HOT 1
- performance problem, cors-anywhere doesn't use outbound HTTP keep-alive HOT 1
- s anywhere
- Question about whitelisting HOT 1
- getting an Uncaught (in promise) SyntaxError HOT 1
- Authorization error HOT 1
- Whitelisting subdomain doesn't work as expected
- see the CI test #271 #273
- cors anywhere not working on vercel HOT 1
- add option to add auth header for sites like reddit HOT 1
- Siteye kurulum
- live radio use case: Missing required request header. Must specify one of: origin,x-requested-with HOT 4
- Not found because of proxy error: AggregateError
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors-anywhere.