rob--w / cors-anywhere Goto Github PK

I'm trying to use this and am encountering an error:
I'm hosting this on Modulus.io, and have set up the Package.json to have start: node server.js, with main also set to server.js. server.js is exactly like the file in the repo, except for HOST, which is set by Modulus.

Any idea what I'm doing wrong? I can't even get to the point of calling the doCORSRequest from the HTML because I can't get the server-side to start. Any help appreciated!

/mnt/data/1/node_modules/http-proxy/lib/node-http-proxy.js:122 throw new Error(message);
^
Error: Cannot proxy without port and host, options.target or options.router, or proxy handlers
at Object.exports.createServer (/mnt/data/1/node_modules/http-proxy/lib/node-http-proxy.js:122:11)
at Object.createServer (/mnt/data/1/cors-anywhere.js:325:27)
at Object.<anonymous> (/mnt/data/1/server.js:7:12)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Function.Module.runMain (module.js:497:10)
at startup (node.js:119:16)
at node.js:929:3

http://www.sitrende.net/feed does a 301 redirect to http://www.sitrende.net/feed/, but when trying it in the demo.html, it seems like server.js keeps trying the slash-less version, so the redirect just loops.

CORS Anywhere is currently hosted at Heroku using the free plan. Currently, this plan offers an uptime of 24/7 if the application is actively used.

As of 1 July 2015, all existing free plans will be "upgraded" to a new free plan that limits the uptime to 18 hours a day (i.e. fo 6 hours a day, CORS Anywhere will be offline). This change has been announced at https://blog.heroku.com/archives/2015/5/7/new-dyno-types-public-beta.

I suggest to self-host CORS Anywhere if uptime is critical.

(To maintain the 24/7 uptime for the existing deployment at cors-anywhere.herokuapp.com, 7$ per month needs to be paid. 84$/year for something that doesn't give me any revenue is a bit too much.)

I ran a quick test, and I noticed that the speed at

allow-any-origin.appspot.com

is much faster. Can anything be done about this?

$ set https://s.ytimg.com/yts/jsbin/html5player-vfl4AMHqP.js

$ time curl -Os -H 'origin: *' https://cors-anywhere.herokuapp.com/$1

real    0m6.159s
user    0m0.093s
sys     0m0.015s

$ time curl -Os -H 'origin: *' https://allow-any-origin.appspot.com/$1

real    0m0.878s
user    0m0.171s
sys     0m0.061s

The Android Stock browser seems to abort the request when the server replies with a redirect (https://code.google.com/p/android/issues/detail?id=59474).

Because 301 / 302 are the most common redirects, these redirects should automatically be followed when the Android user agent is detected. These requests can safely be coverted to GET.

To support 307/308, the request payload needs to be buffered, which requires some more work. Considering its rare occurrence, I won't spend time on this part.

Add an option to restrict access to the service for self-hosted CORS Anywhere instances.

Hi I was wondering how I would create my own instance of the cors-anywhere proxy. I have an apache server so I'm not sure what to do with the code and how to run it?

http://cors-anywhere.herokuapp.com/ Application Error:
how long is this going to last ?

First of all, thank you for making your proxy public. It's been a great help in a browser-based application I'm working on that needs to consume linked data. I'm going to talk to my colleagues to see if we can do anything to help with #25.

I noticed a problem today where requesting a certain resource would result an an endless redirect to the same Location as the original request. Here's a test on test-cors.org. This endless redirect does not occur when requesting from the non-HTTPS proxy.

this url fails when I access it from ajax request.

Here is my code.

var x = new XMLHttpRequest();
x.open('GET', 'https://cors-anywhere.herokuapp.com/http://www.thecapitoltheatre.com/files/2016/01/squirrel1.jpg');
//x.setRequestHeader('x-requested-with', 'XMLHTTPREQUEST'); adding this also won't chang anyting.
//x.setRequestHeader('origin', 'http://localhost); if i do this browser throwing exception.(Refused to set unsafe header "origin",in Google Chrome)
x.responseType = 'blob';
x.onload = function () {..........};
x.onerror = function () {........}

Hello! Has anyone succeeded in settings it up on AWS Lambda and can share some experiences? To me caching comes to mind, of course. However, to me an excellent low-cost use-case to to CORSify prepackaged or legacy APIs.

If two different sites try to access the same URL through your Heroku app, the second one will not work (it gets a "Cross-origin image load denied by Cross-Origin Resource Sharing policy." error).

I'm pretty sure this because in

I've confirmed that clearing cache fixes the next load, but this isn't a great solution given that this is intended to make CORS "just work". Is there a reason you don't just allow wildcard origin?

demo.html:81 GET http://example.com/http://google.com 403 (Forbidden)

someone can help me?
tried everything but no success :/

i use your CORS from API GET and it success, but when i use for API POST it can't working. Can you solve this Rob ? Thank you before :)

Hi, Rob,
your work is excelent, but...
I work with pages with windows-1250 charset and I use jquery get method. Pages are loaded correctly, but with the wrong character set :-(
Do you have any suggestion?
THNX!

Petr

Demo: http://www.finecafe.cz/finecafe/pokus.php
My code: http://www.finecafe.cz/finecafe/tooltip-code.txt

Hello,
I have a file on server like: "crossdomain.xml" and how i can access it via url:
http://host:port/crossdomain.xml

To limit the attack vector of my (local) cors-anywhere proxy, I want to limit the domains it will ferry requests to, as well as the filetypes. In my specific use case, I want to limit it only to domains under '.gov.il'. How can I go about doing so?

Thanks!

Hi!

I have a use-case where I would like to run this package behind a corporate firewall. So I would need the cors-anywhere reverse proxy to go through http(s)://proxy.example.com to fetch from the origin. Is this supported (basically I would want the proxy to pickup the settings in the env variables http_proxy or https_proxy like chrome and other tools do, but setting it explicitly would also be fine.)? Any clues? Your help would be very much appreciated.

Hi,
Please let me know how can i setup the CORS-anywhere setup at our server, I have downloaded the library files and put on the server, do let me know the steps.

The CORS Anywhere demo is hosted at Heroku. I've been informed that the app is causing performance issues on the platform and that hosting an open proxy is against the Acceptable Use Policy:

1. Use the Service to operate an "open proxy" or any other form of Internet proxy service that is capable of forwarding requests to any End User or third party-supplied Internet host;

I'll be monitoring the traffic in the coming period, and blacklist all origins/destinations that have excessive usage demands, and/or automatically block sites that have more than X requests per Y seconds, unless explicitly whitelisted.

These measures are needed to 1) resolve the performance issues on Heroku platform 2) prevent abuse of the open CORS Anywhere proxy 3) Ensure that the CORS Anywhere demo can continue to operate for (small) sites who want to try out CORS Anywhere before hosting it themselves.

I get an error when accessing a service/server on a different port.

The service uses the node module express.

OPTIONS http://127.0.0.1:8080/http://127.0.0.1:3000/terms-and-conditions/ net::ERR_CONNECTION_REFUSED

Any suggestions?

when i try to run server.js on node.js im getting this error:
Error: Cannot find module 'http-proxy'
at Function.Module._resolveFilename (module.js:325:15)
at Function.Module._load (module.js:276:25)
at Module.require (module.js:353:17)
at require (internal/module.js:12:17)
at Object. (C:\Program Files\nodejs\node_modules\cors-anywhere\lib\cors-anywhere.js:6:17)
at Module._compile (module.js:409:26)
at Object.Module._extensions..js (module.js:416:10)
at Module.load (module.js:343:32)
at Function.Module._load (module.js:300:12)
at Module.require (module.js:353:17)

npm ERR! This is most likely a problem with the cors-anywhere package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node server.js
npm ERR! You can get information on how to open an issue for this project with:
npm ERR! npm bugs cors-anywhere
npm ERR! Or if that isn't available, you can get their info via:
npm ERR!
npm ERR! npm owner ls cors-anywhere
npm ERR! There is likely additional logging output above.

I'm testing a quick website, and I'm not sure what the issue is but I believe that the HTML that is returned depends on whether or not the website provides the same HTML as the mobile version.

Or does this ignore the dimensions of the user using it?

Demo says 200 OK for this but the API returns Missing required request header. Must specify one of: origin,x-requested-with
Am I missing something?

Hi,

I tried using cors-anywhere to make a LinkedIn social share button to open LinkedIn's share form in a modal popup. However, there is no way that the existing LinkedIn session/cookies get passed through proxy.
Is this even possible, or has anyone tried this at all?

Thanks.

Hi I tried the demo, all website assets loaded except the font with relative path inside css not loaded. I use iconmoon font icon and all css and js is bundled, css and js are loaded but the icon font not working

any idea why?
Thanks,

I am setting up this proxy at localhost to access a REST API that only allows access from certain IP addresses. When I open a local html file (with file:// in the URL) to make a POST request to the API via cors-anywhere, it appears to the API server that I am from 127.0.0.1, which is not a trusted IP address. Is there any way to change the settings in cors-anywhere to make the request as coming from my actual IP address? Thanks for your advice.

Making an ajax request as open('GET', 'http://cors-anywhere.herokuapp.com/' + encodeURIComponent('google.com/?gws_rd=ssl#q=test')) doesn't successfully work. The google site claims that the site / wasn't found (probably the parameters are cut?).

Edit: In case encoding the address is wrong I'm also getting an unexpected result with open('GET', 'http://cors-anywhere.herokuapp.com/http://www.google.com/?gws_rd=ssl#q=test');.

.

Hi, I am trying to setup the CORS-Anywhere server and am facing this problem whenever I try to access a URL

//URL: http://localhost:1337/google.com (I use 8080 for tomcat)
Not found because of proxy error: Error: connect ECONNREFUSED

At first I got the Missing headers message, I tried 2 things:

• Remove the requireHeader option (ie set it to null)
• Left the recommended requireHeader as-is and added them in the createServer function

Both of them give the same error as shown above. Any help is appreciated. Thanks.

most recent version in npm is still 0.2.0

When using CORs with Access-Control-Allow-Credentials:true the Access-Control-Allow-Origin cannot be *. Usual practice is the echo back the the request origin as the allowed origin. It would be good to have some option to do this rather than having to know the origin ahead of time and add it to the whitelist.

Steps to reproduce:

1. Visit https://robwu.nl/cors-anywhere.html
2. Enter a https URL, e.g. https://robwu.nl
3. Observe the following reply:

GET https://robwu.nl
400 Bad Request

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.4.7</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

Hi!

I've been enjoying this handy CORS proxy and now I was wondering why requesting user credentials is disallowed as it makes all the requests with withCredentials set to true fail.
I've been playing around adding the header Access-Control-Allow-Credentials without success. However, I believe there must be a way as it is possible to do so with JSONP.
Thanks in advance!

Regards

Is it possible to change the referer and origin header?

I've tried to do this by delete request.headers['referer']; delete request.headers['origin'];

It seems latest versions of Chrome doesn't set any ofOriginorx-requested-with.

Please Allow the Content-Length in Access-Control-Expose-Headers!

Currently ,any try to get the length of a file through your proxy via AJAX result in a Nullvalue.
Just look here for more details.

HEAD /artestras.vo.llnwd.net/v2/am/HBBTV/045326-000-A_EXT_EQ_2_VF-STF_01475234_MP4-1500_AMM-HBBTV_EXTRAIT.mp4 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 11.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3) Opera/12.50 Presto/2.12.378
Host: cors-anywhere.herokuapp.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: fr-FR,fr;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.arte.tv/guide/fr/045326-000/de-nouvelles-revelations-sur-stonehenge
Connection: Keep-Alive
DNT: 1
Origin: http://www.arte.tv

HTTP/1.1 200 OK
Connection: keep-alive
X-Request-Url: http://artestras.vo.llnwd.net/v2/am/HBBTV/045326-000-A_EXT_EQ_2_VF-STF_01475234_MP4-1500_AMM-HBBTV_EXTRAIT.mp4
Server: nginx/1.0.12
Content-Type: video/mp4
Accept-Ranges: bytes
X-Agile-Checksum: 1ef7aa3e8ba05a662e632e1df62dd28bb8fd1b90ebb5a9817d787843002b27ec
Age: 2933
Date: Sun, 05 Oct 2014 13:47:31 GMT
Last-Modified: Mon, 22 Sep 2014 14:27:02 GMT
Content-Length: 14504083
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: location,x-request-url,x-final-url
X-Final-Url: http://artestras.vo.llnwd.net/v2/am/HBBTV/045326-000-A_EXT_EQ_2_VF-STF_01475234_MP4-1500_AMM-HBBTV_EXTRAIT.mp4
Via: 1.1 vegur

.

hi

I instal cors-anywhere and http-proxy into local computer but when I make a request :
$.ajax({ type: "GET", url: 'http://localhost:8080/http://google.com/',dataType: "text",
success: function(data){
console.log(data)
},
error: function(request, error, tipo_errore) {
console.log(error)
}
});

I have an error :
"NetworkError: 404 Not Found - http://localhost:8080/http://google.com/?_=1416574536780"
Not found because of proxy error: Error: getaddrinfo EAGAIN

with :

  $.ajax({ type: "GET", url: 'https://cors-anywhere.herokuapp.com/http://google.com/',dataType: "text",
   success: function(data){
       console.log(data)
   },
   error: function(request, error, tipo_errore) {
       console.log(error)
   }

});

works perfect :)

could you helpme ?

I need to get the file size of large videos, so I wrote this function :

function GetFileSize(Url){
  var size;
  var ajax = new XMLHttpRequest();
  ajax.onreadystatechange = function () {
    if (this.readyState == this.DONE) {
      size=ajax.getAllResponseHeaders();
      size=parseInt(ajax.getResponseHeader("Content-Length"));
    }
  };
  ajax.open('HEAD', Url, false); // <-- the 'false' makes it synchronous, and the 'HEAD' avoid to download the whole file
  ajax.send(null);
  return size/1048576;
}

which doesn't work, and it appear you don't supportHEADrequests :

HEAD /artestras.vo.llnwd.net/v2/am/HBBTV8730-000-A_SQ_2_VF-STF_01483166_MP4-2200_AMM-HBBTV.mp4 HTTP/1.1
Host: cors-anywhere.herokuapp.com
User-Agent: Mozilla/5.0 (compatible; MSIE 11.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3) Opera/12.50 Presto/2.12.378
Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers


HTTP/1.1 400 Header required
Server: Cowboy
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: location,x-request-url,x-final-url
Date: Sun, 05 Oct 2014 02:15:31 GMT
Via: 1.1 vegur

The real site work as expected when it receive the request, but the brother reject the content (because of SOP):

HTTP/1.1 200 OK
Server: nginx/1.0.12
Content-Type: video/mp4
Accept-Ranges: bytes
X-Agile-Checksum: 5914f511b20f4e0563508cf629dfffa9bbe452ec7a64edd27cfb5a01622597ed
Age: 65997
Date: Sun, 05 Oct 2014 02:14:02 GMT
Last-Modified: Sun, 28 Sep 2014 19:42:44 GMT
Content-Length: 1577111989
Connection: keep-alive

I want to know if is it like a proxy ? or not?
SO it can be blocked by a site and you can't request from that site?
the purpose from using ajax javascript request from a site , to show that the client who request it not a server.

just fyi
https://github.com/kumavis/docker-cors-anywhere
https://registry.hub.docker.com/u/kumavis/cors-anywhere

Hi, I'm using the proxy for a mobile app with phonegap. I can do the GET request with any problem, but when I'm doing the POST request, the response is the following: "Not found because of proxy error: Error: CERT_HAS_EXPIRED"

The header is this:

.

Hi!

Thanks for this great little tool you've built. It's been great for us to use as part of a development server.

One little nit for us is the omission of the set-cookie header, because we depend on this for authentication. I understand that you've disallowed this to avoid security issues in production, but since we're using it in a development server we would like to allow it.

Is it possible you could add an option to allow cookies, perhaps hidden behind an obscure flag (e.g. dangerouslyAllowCookies)?

Hi,

While trying to connect to a web server with self signed certificates, the connection is refused, because the certificates don't validate.

Can an option to ignore the certificate validation be added?

Regards

https://cors-anywhere.herokuapp.com/ appears to be down. Therefore when I make a $.get request I receive an error. Because of the $.get error I then receive an No 'Access-Control-Allow-Origin' error as well. Is anyone else experiencing this? Is there a time frame for it to be fixed?

I had an old instance of cors-anywhere used for proof of concept. I just found out that it wasn't working with pictures coming from a specific domain. So I updated to the latest version of the repo but this didn't solve the issue.

Is there any settings the demo might have that is not default? I only modified the IP port (because I had to). I am planning obviously to add whitelisted servers. My instance works with images from other domains.

Here a successful example with demo server with an image I am having issues with: http://codepen.io/anon/pen/wgeLwW

Thanks!

I've noticed that the demo at cors-anywhere.herokuapp.com is often under heavy load. A quick analysis of the log files shows that the service is being abused: someone is hammering the proxy with requests to plusone URLs. This needs further investigation, and might result in the introduction of a blacklist of disallowed URLs.

Note about logging:

• I use the default logging feature of Heroku, which shows only the last 1500 lines. At the current rate of requests, logs are discarded within 14 seconds.
• The log format is documented at https://devcenter.heroku.com/articles/logging
• Logs are only used to counter abuse and performance issues.
• To get a list of most requested hosts, I used heroku logs --app=cors-anywhere -n 1500 | sed 's@^.\+path="/\(https\?://cors-anywhere.herokuapp.com/\)*https\?://\([^/]\+\)/.\+$@\2@' | sort -rn | uniq -c | grep -v 'bytes=[0-9]\+$' | sort -n