- Add checkRateLimit option to the API.
- Extend the default server.js with environment variables
CORSANYWHERE_WHITELIST (re-using originWhitelist) and
CORSANYWHERE_RATELIMIT (using the new checkRateLimit option)
to make it easy to enforce usage limits.
- Document that Heroku doesn't want open proxies.
Some clients try to use CORS Anywhere, even for same-origin requests...
Add a new setting "redirectSameOrigin" to not waste server resources on
proxying such requests.
Fixes#42
It is not supported, and its current form was not documented.
If you need to proxy a request without listening on a port, just
dispatch a 'request' event on the return value of createServer().
Notes:
- npm run test also runs the memory tests, which might be flaky on
some systems.
- npm run test-coverage only runs the unit tests (it can't run the
memory test anyway because the memory tests create a Node child
process, and istanbul cannot cover that).
Heroku uses Strict Transport Security (HSTS), which forces that all
requests to *.herokuapp.com must use HSTS. However. Chrome cannot read
the CORS response after a HSTS redirect due to https://crbug.com/387198.
Since the request is going to be redirected to https anyway, the demo
and the documentation will use https by default.
From now on, redirects will automatically be handled by the browser.
Using the API by clients has become extremely easy.
Included JavaScript / jQuery snippets in the documentation to
demonstrate that it's easy to use the API.
One of the following headers is required by default:
- Origin: This header is always sent with CORS requests.
- X-Requested-With: This header is automatically added by jQuery on
same-origin requests.
These two headers effectively disable the ability to use the CORS
proxy for regular browsing.
Android's stock browser (and Webview) does not recognize the
Access-Control-Expose-headers response header.
Use the status text field to pass through this information.
Updated demo and documentation.
