Comments (11)
You can do "*.gov.il", the wildcard icon is any name in front of gov.il. Add that to your server.js file and save. Then run these commands in your command line
- git add .
-git commit -m "some name" - git push heroku master
from cors-anywhere.
Sorry, that was unclear to me - add the wildcard where? There's an "origin" blacklist/whitelist, but nothing in regards to target, as far as I can see.
from cors-anywhere.
This is not part of the current functionality, but I can add it.
Restricting to "file types" is pointless, because it can easily be bypassed. For example, if you want to only allow PDF files, you would think that requiring the URL to end with ".pdf" would help. This is not the case, since one can easily append "?.pdf" or "&.pdf" to the URL to bypass the check.
The only meaningful restriction has to be based on the host name. What syntax do you prefer?
from cors-anywhere.
Hi Rob, thanks for your response! I thought I might be missing something. I bypassed the issue by putting a Varnish Cache service in front of the proxy, but I think it will be better to do this in the proxy itself, and I guess the same whitelist/blacklist format of the Origin will work here as well.
Regarding the PDF, I can't agree with you there - after all, anything you add to the URL will be in the query string and not the path (urlObject.pathname
), which is what we need to check.
However, the file type check seems to me like an uncommon use case - so how adding a callback to createServer() instead, so we can do our own filtering? Or is there one already?
from cors-anywhere.
Regarding the PDF, I can't agree with you there - after all, anything you add to the URL will be in the query string and not the path (
urlObject.pathname
), which is what we need to check.
In theory, you're right. In practice, this heuristic doesn't cut it. On the one hand, there are sites with paths ending in .pdf
that are no PDF files, e.g. https://example.com/not/a.pdf, on the other hand there are sites that serve PDF files while the path does not end with .pdf
However, the file type check seems to me like an uncommon use case - so how adding a callback to createServer() instead, so we can do our own filtering? Or is there one already?
I'm considering to add such a callback function, with a default implementation that takes the origin/domain list from the environment variables. The exact syntax is TBD.
from cors-anywhere.
I see. Since this is just to limit the attack surface, I'm OK with the possible omissions - but as I said, I'm doing most of that using Varnish now (which also serves my need for actual caching).
Would you like me to close this issue and open a new enhancement request for a callback function? or just close this issue?
Thanks!
from cors-anywhere.
I'd keep this issue open. For the public demo, I am currently applying a patch on top of the default source that hard-codes checks to enforce blacklists for the few targets where I seen abuse.
By "using Varnish", do you mean that you've replaced CORS Anywhere with Varnish, or something else?
from cors-anywhere.
by "using Varnish" I mean that I have varnish in front of CORS Anywhere, so any requests go through it first. This allows me to add some rules easily, have some caching (which I needed anyway), but still keep all of the logic of CORS Anywhere (which I wouldn't want to duplicate in Varnish's VCL).
from cors-anywhere.
@FreedomFighterSparrow How we're you able to place Varnish in front of CORS anywhere? All I need is some simple steps.
from cors-anywhere.
I was able to figure it out by following this tutorial: https://www.digitalocean.com/community/tutorials/how-to-configure-varnish-cache-4-0-with-ssl-termination-on-ubuntu-14-04
Basically I had to decode all https traffic with Nginx, then pass it onto varnish, which would then load from the cache or pass the request onto cors anywhere.
from cors-anywhere.
from cors-anywhere.
Related Issues (20)
- Does not work in Deno (TypeError on every request) HOT 1
- 400 Bad Request HOT 1
- Update HTTP-Proxy to 1.18.1 to resolve https://github.com/advisories/GHSA-6x33-pw7p-hmpq HOT 1
- Redirects ruining GET parameters using axios HOT 2
- how to block specific final link not origin
- cors-anywhere doesn't work with youtube m3u8 files HOT 1
- Error creating app on Heroku website HOT 2
- API domain name resolution problem HOT 1
- performance problem, cors-anywhere doesn't use outbound HTTP keep-alive HOT 1
- s anywhere
- Question about whitelisting HOT 1
- getting an Uncaught (in promise) SyntaxError HOT 1
- Authorization error HOT 1
- Whitelisting subdomain doesn't work as expected
- see the CI test #271 #273
- cors anywhere not working on vercel HOT 1
- add option to add auth header for sites like reddit HOT 1
- Siteye kurulum
- live radio use case: Missing required request header. Must specify one of: origin,x-requested-with HOT 4
- Not found because of proxy error: AggregateError
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors-anywhere.