- Reject invalid URLs earlier instead of trying to continue with the
request (and failing anyway).
- Explicitly close the response when an error occurs for Node 13+.
- Update tests to cover up to Node 14 (was up to 9).
- Add ability to rate-limit/block requests by origin (#45).
- Avoid crashing on invalid HTTP status codes (#95).
- Support and test coverage for latest Node.js versions (up to 9).
- Support `Access-Control-Max-Age` via `corsMaxAge` option.
- Listen on `0.0.0.0:8080` by default instead of `127.0.0.1:8080`.
(use `HOST` and `PORT` environment variables to override this).
- Update gTLD list.
- Add checkRateLimit option to the API.
- Extend the default server.js with environment variables
CORSANYWHERE_WHITELIST (re-using originWhitelist) and
CORSANYWHERE_RATELIMIT (using the new checkRateLimit option)
to make it easy to enforce usage limits.
- Document that Heroku doesn't want open proxies.
- CI & 100% test coverage
- Do not crash when a malformed HTTP response is received.
- Remove getHandler (its documented form was broken anyway).
- Allow custom help file to be set.
- Add option to redirect same-origin requests instead of proxying them.
Notes:
- npm run test also runs the memory tests, which might be flaky on
some systems.
- npm run test-coverage only runs the unit tests (it can't run the
memory test anyway because the memory tests create a Node child
process, and istanbul cannot cover that).
- Support proxying through proxy (`getProxyForUrl` option, defaulting to
proxy configuration from the environment variables, see
https://github.com/Rob--W/proxy-from-env) (#37).
- Update gTLD list.
Changes:
- Updated to node-http-proxy 1.11.1 from 1.3.0
- Add httpsOptions configuration to listen as a https server.
- Update gTLD list, and allow requests to unlisted TLDs if the
scheme is explicitly set (#14).
- Added loads of unit tests and automatic memory leak tests.
Using the performNRequests, I collected the following statistics
before choosing the maximum allowed "leaked" memory.
Node.js 0.12.2,
Using the http module ('use-http-instead-of-cors-anywhere'):
Memory usage delta: 132800 (100 requests of 50 kb each, 250ms)
Memory usage delta: 110144 (100 requests of 1 kb each, 172ms)
Memory usage delta: 709936 (1000 requests of 1 kb each, 902ms)
Memory usage delta: 865104 (10000 requests of 1 kb each, 7073ms)
Memory usage delta: 930416 (100000 requests of 1 kb each, 62856ms)
Using CORS Anywhere:
Memory usage delta: 356784 (100 requests of 50 kb each, 1004ms)
Memory usage delta: 355248 (100 requests of 1 kb each, 641ms)
Memory usage delta: 1326856 (1000 requests of 1 kb each, 3338ms)
Memory usage delta: 1462584 (10000 requests of 1 kb each, 21186ms)
Memory usage delta: 1473624 (100000 requests of 1 kb each, 211202ms)
Clearly, there is a small leak, but it is not proportional/linear
in terms of the number of requests, so the observed "leak" is probably
not an issue. Furthermore, the "leak" also occurs with the plain
http module.
After setting fixed limits, I ran the tests on Node.js 0.10.25 and
observed that the tests failed due to the too low limits, so I
incremented the limits (400 -> 550, 1500 -> 2000).
All xfwd and tests fails with this change, but that's because the
tests themselves were incorrect (using port 80/443 instead of the
ephemeral ports created for the tests).
webkit-devtools-agent (tested with 0.2.4 and 0.3.1) is incompatible with
Node 0.12.0. The manual test adds no value at this point, so it has been
removed, including the dependencies (webkit-devtools-agent).
If you wish to check if the API works, launch demo.html,
set the global cors_api_url variable to your local instance,
enter an URL and press "GET" or "POST".
From now on, redirects will automatically be handled by the browser.
Using the API by clients has become extremely easy.
Included JavaScript / jQuery snippets in the documentation to
demonstrate that it's easy to use the API.
One of the following headers is required by default:
- Origin: This header is always sent with CORS requests.
- X-Requested-With: This header is automatically added by jQuery on
same-origin requests.
These two headers effectively disable the ability to use the CORS
proxy for regular browsing.
