Updated · Jan 10, 2024
Harsha Kiran is the founder and innovator of Techjury.net. He started it as a personal passion proje... | See full bio
Updated · Jul 28, 2023
Harsha Kiran is the founder and innovator of Techjury.net. He started it as a personal passion proje... | See full bio
Florence is a dedicated wordsmith on a mission to make technology-related topics easy-to-understand.... | See full bio
A CORS error is one of the most common website development issues where users see broken images, video players not showing, or website functions not working.
These errors happen when a server hosting the requested content refuses a CORS request based on its configuration.
Proxy servers, specifically CORS proxies, can resolve this but with a few caveats.
Continue reading to learn more about CORS proxies and the risks associated with their use.
Key Takeaways
|
Before diving into CORS proxies, it is crucial to understand what CORS is and how it works.
CORS, or Cross Origin Resource Sharing, is a mechanism used to request content hosted on a server of a different origin.
To give you some clarity, here are some CORS examples.
CORS mechanism is usually adapted as a flexible solution since most web browsers implement the same-origin policy for end-user safety.
With the Same-Origin policy, websites can only source content if it comes from the same domain, port number, and security protocol. This is not always the case, so CORS comes into the picture.
To gain a better understanding of what CORS is, check out the video below:
🎥YouTube Video: CORS in 100 Seconds (00:00-01:11) |
To overcome errors due to denied requests, the host server must change its CORS configuration or use a CORS proxy.
📖Definition A CORS proxy acts as a middleman between the requesting client or browser and the server hosting the desired content. CORS proxies are created to overcome CORS errors. |
Based on the example given above, here’s how a CORS proxy will work:
It may look easy, but there are security risks involved in using CORS proxies. These risks will be discussed in the next section.
Here are the risks involving the use of CORS proxies and how they can be handled:
CORS proxies can do anything with the traffic that passes through them.
Sending traffic to a CORS proxy means that you absolutely trust the proxy. It can read all the data you pass through, with almost no exception.
Free proxies are dangerous, let alone free CORS proxies.
For example, if your site is set up to get JavaScript content from a different origin, you also allow the CORS proxy to run any JS script.
Letting other people take control of your site’s functions can be terrifying. It is better to create your own proxy server for CORS or rely on a trusted paid provider is better.
✅ Pro-tip: Always do a thorough check before choosing a proxy provider, even if you’re planning to use paid ones. This ensures better security and minimizes the associated risks. |
Responses from the requested servers may include cookies. Browsers may be unable to differentiate their intended use as they only interact with the CORS proxy server.
Let’s say example.com need to source content from example2.com.
The browser sends a request to the CORS proxy server, and the response indicates a “set-cookie” header. The cookie intended for example2.com is saved on the browser.
On another site section, example.com need to source content from example3.com.
The browser sends a request to the CORS proxy but includes the cookies intended for example2.com. It only interacts with the CORS proxy, so it does not know the difference.
It all comes down to how much you trust the proxy server and the servers hosting the content you need.
If you have control of the CORS proxy server, it might be better to remove cookie headers altogether. The same is true for allowing the transfer of credentials.
✅ Pro-tip: To avoid the risk of cookies being sent to unintended destinations, you should consider removing cookie headers and assess the reliability of the proxy and content-hosting servers. |
If you decide to host an internal CORS proxy, there is a danger that your internal network will be exposed to outside users.
This attack is also known as server-side request forgery (SSRF). This can be done by sending a request through the proxy to access internal resources.
A user can set the destination to 127.0.0.1 or localhost to command the proxy to look back at its network.
This attack can potentially acquire admin interface access or obtain sensitive information.
✅ Pro-tip: Whitelisting origin requests can help avoid this. By allowing requests from trusted sources only, you can reduce the risk of unauthorized access to sensitive internal resources. |
While there are risks to using CORS proxies, there are also ways to mitigate them.
As long as they are used cautiously, CORS proxies have the potential to be a long-term solution to CORS errors.
With that in mind, here is a list of CORS proxies that you can employ:
Price:
|
Key Features:
|
Cloudflare is one of the leading CDNs in the world. What makes it popular is its free plan with no time limit.
Its CORS proxy works through the Cloudflare Workers. One of its remarkable features is content caching. It makes the proxy ready for delivery for the subsequent request of the same header.
Keep in mind that you have to pay to extend the features and increase the number of requests.
However, it is guaranteed to be worth the money—given that CloudFlare is a trusted brand that supports over 27 million websites worldwide.
Price: FREE |
Key Features:
|
CORS Anywhere is a viral open-source module for Node.js.
It lets you run a proxy server for CORS locally. This will bypass the CORS limitation imposed by the browser since CORS is a policy from the browser.
This tool will reroute the request to the local proxy. The proxy will fetch the data from the target origin, then pass it to the browser with proper headers.
CORS Anywhere is a free tool attractive to developers and website owners. The downside is you will always have to run Node.js to keep it working.
Price: $4/month – 500,000 requests per month |
Key Features:
|
Another paid CORS proxy service is CORS.SH. The code here is based on CORS Anywhere but with an added playground.
The basic plan can support up to 500,000 requests per month with no hourly limit.
CORS.SH will save you from running Node.js all the time to keep the proxy working.
However, you should remember the basic CORS proxy precautions when using someone else’s CORS proxy.
CORS proxies have some serious safety issues, but taking the necessary precautions can be a reliable solution for overcoming CORS errors.
Some CORS proxies are limited to test use and not production. You should keep an eye on the use-case recommendations on any CORS proxy you can find.
This means you are allowing HTTP requests to source content from your server. You can whitelist the domains that send you these requests, so there should be no problem.
CORS prevents arbitrary and unrestrained requests to any website’s or server’s resources. It considers the existence of requests from malicious scripts that aim to steal sensitive data.
If CORS is poorly configured, servers may respond to almost any request and leak sensitive data.
Your email address will not be published.
Updated · Jan 10, 2024
Updated · Jan 09, 2024
Updated · Jan 05, 2024
Updated · Jan 03, 2024