-saves bytes, and avoids triggering IDS/WAF alarms since browser finger
printing will prove these headers are unnatural and on SSL must be a MITM
attack
-leave x-forwarded-* intact since they can be used to block CORS proxy
abuse if the not-CORS origin webmaster really has to block the proxy
and they are not unique to Heroku platform
-Access-Control-Max-Age header only has meaning for preflights, not
POST or GET, saves wire bytes by excluding it from POST/GET/etc,
and future problems if ACMA on a content HTTP method is given
meaning by W3C or a browser vendor
-fix expectNoHeader() test helper func ,this was a no-op before by
accident and would NEVER fail,
supertest/test.js:Test.prototype._assertFunction requires an retval of
class type Error if test fail, not a string or a number or Object
The test broke because Node lowered the maximum header size to defend
against large headers ( CVE-2018-12121 ).
In the test, we do actually want to pass large headers, because all
processing in CORS Anywhere is based on headers (the request body would
just be forwarded to the destination server).
The test failed intermittently with ECONNRESET or "socket hang up"
because the server (under test) would close the socket upon receiving
a request with too large request headers.
- Reject invalid URLs earlier instead of trying to continue with the
request (and failing anyway).
- Explicitly close the response when an error occurs for Node 13+.
- Update tests to cover up to Node 14 (was up to 9).
Starting from Node 12, the test started to fail because of
intermittent socket errors, such as ECONNRESET and "socket hang up".
Destroying the response before triggering a new request resolves it.
- Add ability to rate-limit/block requests by origin (#45).
- Avoid crashing on invalid HTTP status codes (#95).
- Support and test coverage for latest Node.js versions (up to 9).
- Support `Access-Control-Max-Age` via `corsMaxAge` option.
- Listen on `0.0.0.0:8080` by default instead of `127.0.0.1:8080`.
(use `HOST` and `PORT` environment variables to override this).
- Update gTLD list.
Travis build failed on "Uncaught TypeError: Object.keys called on non-object".
That's a real error (res._headers was initially null until a header is set).
This communicates more clearly for which versions of Node.js
the tests have run.
8 is not listed because tests are failing due to the nock HTTP mocking
library being incompatible with Node v8.
When proxyReq is aborted (by us - in response to a redirect response),
it can ultimately trigger an "error" event of type ECONNRESET.
This error was unconditionally propagated to the error handler:
https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L134-L140
Our proxy error handler responds by writing a response + error code,
which prevents the response from being overwritten.
I found this after upgrading the nock library to 5.2.1+, which contains
510e31c73e
The redirect tests that were previously passing in Node 0.10.x were
failing, with errors like "Can't set headers after they are sent.".
The new implementation makes sure that the proxied response is not
forwarded to the original response.
- Add checkRateLimit option to the API.
- Extend the default server.js with environment variables
CORSANYWHERE_WHITELIST (re-using originWhitelist) and
CORSANYWHERE_RATELIMIT (using the new checkRateLimit option)
to make it easy to enforce usage limits.
- Document that Heroku doesn't want open proxies.
- CI & 100% test coverage
- Do not crash when a malformed HTTP response is received.
- Remove getHandler (its documented form was broken anyway).
- Allow custom help file to be set.
- Add option to redirect same-origin requests instead of proxying them.
Some clients try to use CORS Anywhere, even for same-origin requests...
Add a new setting "redirectSameOrigin" to not waste server resources on
proxying such requests.
Fixes#42
It is not supported, and its current form was not documented.
If you need to proxy a request without listening on a port, just
dispatch a 'request' event on the return value of createServer().
