Remove manual redirect handling

From now on, redirects will automatically be handled by the browser.
Using the API by clients has become extremely easy.

Included JavaScript / jQuery snippets in the documentation to
demonstrate that it's easy to use the API.

lib/cors-anywhere.js

@@ -64,11 +64,16 @@ function withCORS(headers, request) {
 function isForbidden(host) {
   return false; // TODO
 }
-function proxyRequest(req, res, proxy, full_url, proxyOptions) {
+function proxyRequest(req, res, proxy, full_url, isRequestedOverHttps, proxyOptions) {
   if (isForbidden(proxyOptions.host)) {
     res.writeHead(403, 'Refused to visit', withCORS({'Location': full_url}, req));
     return;
   }
+
+  var realHost = req.headers.host;
+  // Let the "Host" header be the host part of the path (including port, if specified).
+  req.headers.host = full_url.split('/', 3)[2];
+
   // Hook res.writeHead
   var res_writeHead = res.writeHead;
 
@@ -84,13 +89,10 @@ function proxyRequest(req, res, proxy, full_url, proxyOptions) {
     if (statusCode === 301 || statusCode === 302 || statusCode === 303 || statusCode === 307 || statusCode === 308) {
       var locationHeader = headers['location'] || res.getHeader('location');
       if (locationHeader) {
-        headers['location'] = url.resolve(full_url, locationHeader);
+        res.removeHeader('location');
+        headers['location'] = (isRequestedOverHttps ? 'https://' : 'http://') + realHost + '/' +
+                               url.resolve(full_url, locationHeader);
       }
-      // Put redirect URL in status text so that user agents that do not recognize the Access-Control-Expose-Headers
-      // response header can still read the target URL.
-      reasonPhrase = statusCode + ' ' + (headers['location'] || '');
-      // Don't use 301 or 302 because browsers may cancel the request (observed in Chrome with a custom request header)
-      statusCode = 333;
     }
 
     // Don't slip through cookies
@@ -202,14 +204,13 @@ var getHandler = exports.getHandler = function(options) {
       // Change the requested path:
       req.url = path;
 
+      var isRequestedOverHttps = req.connection.encrypted || /^\s*https/.test(req.headers['x-forwarded-proto']);
+
       corsAnywhere.removeHeaders.forEach(function(header) {
         delete req.headers[header];
       });
 
-      // Only add port if it was explicitly set
-      req.headers.host = hostname + (match[4] ? ':' + port : '');
-
-      proxyRequest(req, res, proxy, full_url, {
+      proxyRequest(req, res, proxy, full_url, isRequestedOverHttps, {
         host: hostname,
         port: port,
         target: {

lib/help.txt

@@ -10,13 +10,6 @@ If the protocol is omitted, it defaults to http (https if port 443 is specified)
 
 Cookies are disabled and stripped from requests.
 
-Redirects are not automatically followed: The API response has status code 333.
-The client ought to confirm this redirection by creating a new request (the url
-is available in the Location response header).
-For user agents who do not support the Access-Control-Expose-Headers response header,
-the information is available in the status text as "<HTTP STATUS CODE> <LOCATION HEADER>".
-
-
 The requested URL is available in the X-Request-URL response header. Non-existence of this
 header implies that the requested URL was not recognized.
 
@@ -25,5 +18,6 @@ or the X-Requested-With header to be set. To avoid unnecessary preflight (OPTION
 it's recommended to not manually set these headers in your code.
 
 
-Demo        :   https://robwu.nl/cors-anywhere.html
-Source code :   https://github.com/Rob--W/cors-anywhere/
+Demo          :   https://robwu.nl/cors-anywhere.html
+Source code   :   https://github.com/Rob--W/cors-anywhere/
+Documentation :   https://github.com/Rob--W/cors-anywhere/#documentation