CorsProxy
2 points by kaycebasques
2 points by kaycebasques
Huh, the FAQ section at the bottom has some broken JS so it's not easy to see the answer to "how secure is my data with CorsProxy?" It's:
Security is a top priority for CorsProxy. We use industry-standard encryption for data in transit and at rest. Additionally, we offer features like API key management and allowed referrers to ensure that your usage is secure.
Is this a paid, huge MITM vector from an unknown new company that cannot get their front page to work correctly?
I guess there is a lot of data requests that are fine to MITM, but yes, it cannot not be a MITM.
You can say a double MITM, because it also adds CloudFlare if it weren't there!
This feels wrong. I can see the pain point of CORS, but the whole idea is to restrict browser access.
I also agree that it feels wrong, but on the other hand CORS at large feels wrong to me. Hands down my most common friction point when developing toy web apps. Would never trust this CorsProxy thing with sensitive data, of course. But most of my projects never depend on sensitive data.
CORS at large feels wrong to me
In the case where I'm handling PII, CORS is fine and works as intended. But in my experience this is the exception, not the norm. And the fact that whatever cross-origin REST API I'm trying to use let's me access from my server without authentication suggests that the resource intended to make their data open. But what usually ends up happening is that this cross-origin resource just forgets to configure CORS on their server and I'm left having to spin up an otherwise unnecessary server to work around the issue. In other words, CORS is a big impediment to the open web
Wait, free tier without an account is for development from localhost only.
Do I correctly understand that if I send any request with an Origin header of localhost then they will forward all my traffic for me?
Neat. Can't see how that might go wrong at all.
I just used it without signing up for anything, so not sure about the localhost only thing.
I tried it without signing up, from command line with basic browser fingerprint replication, without any Origin, for https://w3.org/ so just HTML not APIā¦ yeah, it is an open proxy with an extra header on the reply.
I'm not affiliated with this product. I think it's just an interesting solution to the thing that always disrupts my toy web apps: CORS. I posted it in case it might spur a broader discussion of CORS.
This is a very complex and insecure solution for a problem that could be solved by adding a single header.
Do you mean adding a header on the request-target side (which you typically don't control)?