Are you developing a Javascript application that needs to invoke an XHR on a different domain??
Of course you have to run into the Same Origin Policy and to write some CORS headers in your request message. But if you want to bypass all the security issues and you can not modify your code you can use a CORS Proxy.
I found this tool in the Node Package Manager, and i solved in an easy way my needs.

The Same Origin Policies system concerns the security rules specification adopted by all modern internet browsers to prevent security issues. The basic concept is to control if a source domain (origin) will match with the target domain, if they not match an exception is thrown. Without the SOP, Javascript enables developers to point other domains and manage the response in the DOM of the current domain . Every time we create an XHR object the browser does a check on the target domain of the request, and controls if the target domain is the same of the source domain (the domain from which the browser downloaded the executed Javascript code). In other words, if the browser downloads and executes the above Javascript code from domain http://127.0.0.1:8080, it will not work.

var request = new XMLHttpRequest();
var url = "http://www.luigibifulco.it/blog/it"
request.open("GET", url, true);
request.onload = onload;
  function onload() {
          if (request.status === 200) {
              console.log("OK")
          } else {
              console.error("Status code was " + request.status);
          }
      }

This is because the domain 127.0.0.1:8080 is different from www.luigibifulco.it!!

The CORS (Cross Origin Resource Sharing) is a way to share resources between different domains, that are trusted. If domain A sends an XHR to domain B, B can answer to A with a special header in the response to tell, "Oh yeah i remember you :)" or simply deny the access.
So, using the same example, if B answers with an header like this:

Access-Control-Allow-Origin: A

then the SOPs will not block the XHR sent from domain A. For this type of CORS is needed to agree with the domain referent to make all domains trusted and modify some response header on the server side.

With Cors-Proxy you can install a simple Http server on your machine and forward all HTTP requests to other domains. In other words the request is made by the server. The useful thing is that the forwarding is possible with an easy URI syntax, such as:

 "http://localdomain:localport/externaldomain:externalport/path/to/resource"

You can download and install Cors-proxy from NPM launching this command in a shell:

npm install -g corsproxy

once installed you can launch it with corsproxy command....a server is spawned on port 1337
Now we can do a test making a request to my blog:

"http://127.0.0.1:1337/www.luigibifulco.it/blog/it"

Cors-proxy can be used to do CORS without the overhead to write request headers or response headers. From now all your cross-domain requests will work, there is no trick, infact the SOP will not generate any exception because the source domain will be the same in every request (127.0.0.1:1337). We can make the previous invocation in this way:

var request = new XMLHttpRequest();
var proxy = "http://127.0.0.1:1337/";
var url = proxy+"www.luigibifulco.it/blog/it"
request.open("GET", url, true);
request.onload = onload;
  function onload() {
          if (request.status === 200) {
              console.log("OK")
          } else {
              console.error("Status code was " + request.status);
          }
      }

All you have to do with cors-proxy is to point the proxy from the browser, and to change the base path of your requests in your javascript code :).



  • submit to reddit
blog comments powered by Disqus