• Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 4 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A lightweight JavaScript CORS Reverse Proxy designed to run in a Cloudflare Worker.

CORSflare

A lightweight JavaScript CORS Reverse Proxy designed to run in a Cloudflare Worker.

Introduction

CORSflare is a reverse proxy written in JavaScript that can be used to bypass most common Cross-Origin Resource Sharing restrictions, such as:

  • Frame/Iframe: Refused to display [some URL] in a frame because it is set 'X-Frame-Options' to 'SAMEORIGIN'
  • XMLHttpRequest: XMLHttpRequest cannot load [some URL]. Origin [some origin] is not allowed by Access-Control-Allow-Origin

... And so on.

The proxy has been designed to run within a Cloudflare Worker, which is freely available for up to 100.000 requests per day; this basically means that you can use this proxy to put any external web page within a <iframe> element, and/or call a external API via AJAX, and/or to bypass any common CORS restriction without spending a penny, assuming you don't have enterprise-grade service level requirements.

Wait a minute... what is CORS?

If you've stumbled upon this project there's a high chance you already know what CORS actually is and why you need to bypass such policies: if that's the case, just skip this section and go ahead.

In the unlikely case you don't, just know that Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin.

A web page executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. For security reasons, modern browsers restrict some of those cross-origin HTTP requests (script, iframe, JS-initiated requests such as XMLHttpRequest and Fetch API calls, and so on) because they could be abused in various ways. These restrictions are applied using a same-origin policy, which explicitly prevents the browser from requesting those kind of resources unless they come from the same origin (FQDN) of the HTML page (or script) that tries to load them.

The following diagram explains such concept in a visual way:

Cross-Origin Requests

The only way to overcome the same-origin` policy is to ensure that the requested resource from other origins includes the right HTTP headers, such as the following ones:

  • Access-Control-Allow-Origin, which indicates whether the response can be shared with requesting code from the given origin.
  • X-Frame-Options, that can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> HTML element.

If you can access (or ask) the server hosting the "other origin" resources and configure those headers to authorize your domain, there's a high chance you don't need to use this proxy or other workarounds: that's the proper (and most efficient) way to fix your issue.

Conversely, if you don't have access to those resources and/or can't change their HTTP headers, you might find the CORSflare Reverse Proxy useful enough, since it's specifically designed to remove such limitations.

How it works

Here's a diagram that shows how the CORS reverse proxy actually works:

CORS Reverse Proxy

In a nutshell, the proxy will respond to the preflight request issued by the Front End App (for example, a web browser) by setting the "CORS allowed" headers: right after that, it will forward the request to the target server, receive its response and send them back to the client app without the same-origin limitations.

Moreover, CORSflare can also be configured to perform some other additional tasks, such as ''on-the-fly'' text replacing (to handle inner links, URLs and so on), cache control overrides, blacklist traffic coming from certain regions / countries IP addresses, and so on.

How to install

To setup CORSflare within a Cloudflare Worker, follow these steps:

  • Download the latest CORSflare version from the CORSflare GitHub page: you'll only need the CORSflare.js JavaScript file.
  • Login to Cloudflare. If you don't have an account, create one: it's free and the basic plan will arguably be enough for most common scenarios, as it will grant 100.000 requests per day.
  • Navigate to the Workers section using the top-level menu.
  • Create a new worker. If it's the first time you do that, you'll also be asked to choose a subdomain, such as domainName.workers.dev. The subdomain name will be appended to the worker's name to form the worker's FQDN, such as workerName.domainName.workers.dev.
  • Paste the CORSflare.js source code within the worker code.
  • Setup the CORSflare configuration settings by following the instructions in the code comment sections (or see below).

Configuration Settings

CORSflare's configuration settings can be set via some JavaScript constants & variables placed at the beginning of the source code. The best way to do that is to read the code comments. However, here's a quick breakdown of the most relevant options:

  • upstream : The hostname of the upstream website to proxy (example: www.google.com).
  • upstream_mobile : the hostname of the upstream website to proxy for requests coming from mobile devices (example: www.google.com); if the upstream website doesn't have a dedicated hostname for mobile devices, you can set it to NULL.
  • upstream_path : custom pathname for the upstream website ('/' will work for most scenarios).
  • upstream_allow_override: set it to TRUE to allow the default upstream to be overridden with a customizable GET parameter, FALSE otherwise.
  • upstream_get_parameter: the GET parameter that can be used to override the default upstream if upstream_allow_override is set to TRUE (default is CORSflare_upstream).
  • blocked_regions : an array of countries and regions that won't be able to use the proxy.
  • blocked_ip_addresses : an array of IP addresses that won't be able to use the proxy.
  • https : set this value to TRUE to fetch the upstream website using HTTPS, FALSE to use HTTP. If the upstream website doesn't support HTTPS, this must be set to FALSE; also, if the proxy is HTTPS, you'll need to enable the replace_dict rule to HTTPS proxy an HTTP-only website (see below).
  • http_response_headers_set : an array of HTTP Response Headers to add (or to update, in case they're already present in the upstream response); this option can be used to circumvent the same-origin policy because it allows to set the X-Frame-Options and Access-Control-Allow-Origin headers to allow cross-origin requests.
  • http_response_headers_delete : an array of HTTP Response Headers to delete (if present in the upstream response); this option can be used to circumvent the same-origin policy because it allows to remove the Content-Security-Policy headers before serving the upstream pages to the end-user client.
  • replacement_rules : Can be used to define custom text replacement rules (see section below).
  • replacement_content_types : Can be used to specify the returned content's content-type(s) to apply the replacement_rules to.
  • replacement_use_regex : Can be used to enable or disable RegEx syntax in replacement rules.

Text Replacement Rules

The replacement_rules array can be used to configure the text replacement rules that will be applied by the proxy before serving any text/html resource back to the user.

The common usage of such rules is to "fix" non-standard internal URLs and/or local paths within the upstream's returned contents (html pages, css, js, internal links, custom fonts, and so on, depending on the content type(s) specified in the replacement_content_types array) and force them to pass to the proxy; however, they can also be used to alter the response content in various ways (change a logo, modify the page title, add a custom css/js, and so on).

Each rule must be defined in the following way:

'<source_string>' : '<replacement_string>'

The following dynamic placeholder can be used within the source and replacement strings:

  • {upstream_hostname} : will be replaced with the upstream's hostname
  • {proxy_hostname} : will be replaced with this proxy's hostname

HINT: Rules are processed from top to bottom: put the most specific rules before the generic ones.

Useful References

Credits

CORSflare is strongly based upon the following projects:

More Repositories

1

DownPicker

A lightweight DropDownList / ComboBox for iOS, written in Objective-C
Objective-C
202
star
2

bootstrap4-glyphicons

How use Glyphicons with Bootstrap 4 (without getting mad)
40
star
3

LockProvider

A lightweight C# class that can be used to selectively lock objects, resources or statement blocks according to given unique IDs.
C#
37
star
4

PasswordGenerator

A simple C# helper class for ASP.NET Core to generate a random password with custom strength requirements: min length, uppercase, lowercase, digits & more
C#
37
star
5

ASP.NET-Core-Web-API

Code repository for the Building Web APIs with ASP.NET Core Manning book by Valerio De Sanctis
C#
36
star
6

Tabulazer

A Chrome Extension to filter, sort, page and style any existing HTML table using the Tabulator JS library.
JavaScript
24
star
7

REPflare

A lightweight Cloudflare Worker to replace text and inject styles and scripts in any web page
JavaScript
22
star
8

RunningLow

Free PowerShell script to to check for low disk space on local and network drives and send e-mail alerts when it goes under a user-defined quota.
PowerShell
19
star
9

WindowsService.NET

A sample Windows Service (.NET Framework) C# boilerplate.
C#
18
star
10

FFmpeg-scripts

A collection of FFmpeg related bash scripts to perform video and/or audio real-time streaming over online streaming services such as Periscope and YouTube.
Shell
16
star
11

Disable-Inactive-ADAccounts

A small Powershell script that disables all the Active Directory user accounts inactive for more than X days.
PowerShell
12
star
12

dir2json

A PHP CLI script to ouput the contents of a whole directory tree to a JSON object
PHP
11
star
13

AESCrypt

Yet Another AES-Rijndael ASP.NET C# implementation with advanced configuration settings
C#
11
star
14

dobble

A JavaScript function to generate combinatorial geometric series for games such as Dobble (aka Spot it!) and to better understand the math logic behind them.
JavaScript
10
star
15

MergeTIFF

A lightweight .NET Core console program to merge multiple TIFF files into one.
C#
9
star
16

react-native-firebase-notifications

React Native sample app for Android and iOS with Push Notifications support using Firebase SDK and API.
Java
9
star
17

publicize-with-hashtags

Wordpress Plugin that automatically appends hashtags to content sent by Jetpack Publicize module. Hashtags will be created using post tags. Also includes dupe check, max char length check, space trimming & more.
PHP
8
star
18

CustomContent

A MantisBT 2.x plugin to insert custom HTML, PHP, JS and/or CSS in the Mantis Bug Tracker HTML layout.
PHP
7
star
19

jquery.scrolling

adds the *scrollin* and *scrollout* events to jquery, which will fire when any given element becomes (respectively) visible and invisible in the browser viewpori
JavaScript
6
star
20

RegExSplitter

Split a single-line JavaScript Regular Expression into multiple lines of code.
JavaScript
4
star
21

EmailValidator

A lightweight and customizable helper class to validate any e-mail address using the HTML living standards RegEx and/or ASP.NET Core built-in validators in C#
C#
3
star
22

NETCore-AzureSQL

A sample .NET Core App to show how to securely connect to an Azure SQL Database using managed identity.
C#
2
star
23

ASP.NET-Core-8-and-Angular

Official repository for ASP.NET Core 8 and Angular book by Valerio De Sanctis
C#
1
star
24

NETConf2020-ASP-NET-5-Structured-Logging

ASP.NET 5 Structured Application Logging samples using Application Insights (MS Azure) and Serilog (SQL Server, MariaDB)
TypeScript
1
star