hyperobject / crossorigin.me Goto Github PK

I'm making a request through crossorigin.me and receiving a gzipped response which is undesirable in my case. I assume your "Accept-Encoding" request headers are including "gzip" – is there any way to disable this? Would it make sense to disable it by default, or is this use case common for your users?

Regardless – thanks for this project!

When I fetch some data that contains accents of all sorts (hey, don't judge me, I speak french), the returned result messes up all the accents.

I have this piece of code client-side that fixes some problems, but it can't fix data coming back from the server:

$.ajaxSetup({ scriptCharset: "utf-8", contentType: "application/json; charset=utf-8" });

That would be a very nice addon to your awesome proxy.

• Max

CloudFlare responds with Error 521 for every request to https://crossorigin.me/

on index.html

fun app. found the site, then noticed it was made in nodejs and that you published the code because you're awesome. so... keep doing that.

Hello,

First of all, thank you very much for having this service up and running.

I was using crossorigin.me for one tutorial I'm writing involving podcasts information and I discovered thant when I'm issuing request to one specific domain, the response does not include the expected Access-Control-Allow-Origin.

I found this problem with request to www.npr.org domain.

Here is a short list of podcasts feed URLs I'm having problems with:

 http://crossorigin.me/http://www.npr.org/rss/podcast.php?id=272112020
 http://crossorigin.me/http://www.npr.org/rss/podcast.php?id=510292
 http://crossorigin.me/http://www.npr.org/rss/podcast.php?id=510306

These are other podcasts feed URLs that show no problem:

http://crossorigin.me/http://feeds.feedburner.com/tiestos_club_life
http://crossorigin.me/http://static.aboveandbeyond.nu/grouptherapy/podcast.xml
http://crossorigin.me/http://songexploder.libsyn.com/rss    

Any idea about why the lack of the expected header?

Thanks.

In this video after 11 seconds it pauses every time. I think it is an issue with crossorigin. https://crossorigin.me/https://r1---sn-8xgp1vo-p5q6.googlevideo.com/videoplayback?ratebypass=yes&pfa=5&itag=22&cnr=14&mime=video/mp4&initcwndbps=2015000&sver=3&fexp=3300116,3300132,3300164,3311881,3312144,3312381,3312725,3313263,9416126,9416891,9419451,9422596,9422844,9428398,9429743,9431012,9433096,9433380,9433946,9435526,9435580,9435681,9435876,9436588,9437066,9437164,9437553,9437679,9437742,9438337,9438768,9438974,9439356,9439581,9439652,9439853,9440168&ipbits=0&source=youtube&signature=87B14C817E2CE3432F6962619125217BB9F0680B.89D4487267969DE0A69391C11957A909638D240C&ctier=A&mt=1466814920&requiressl=yes&ms=au&mv=m&hightc=yes&pl=16&dur=247.664&lmt=1466769810651137&ip=96.255.116.80&id=o-AC4k_3w7AyuAtz1IBrqz_ovhTaDEBMwC8nPUdYpD-i4W&mn=sn-8xgp1vo-p5q6&mm=31&key=yt6&upn=HTrmbdIV6kw&expire=1466836681&sparams=cnr,ctier,dur,hightc,id,initcwndbps,ip,ipbits,itag,lmt,mime,mm,mn,ms,mv,pfa,pl,ratebypass,requiressl,source,upn,expire&title=A%20Mother%27s%20Overbearing%20Love

the service is down!

Has anyone tried using this in Internet Explorer 9 and made it work?
tanks

This leads to the strange situation, where a source already sets a Access-Control-Allow-Origin header (e.g. to mydomain.com) and the proxy adds the Access-Control-Allow-Origin: *. This is something most browsers do not support and therefore the request fails.

I think the Access-Control-Allow* headers that the proxy sets, should not be passed through from the original source. WDYT?

Can't replicate on local copy, possibly some sort of caching bug related to cloudflare?

Affected URLs:

• http://quotes.stormconsultancy.co.uk/random.json
• http://www.ctabustracker.com/bustime/api/v1/getpredictions

Hey,

thanks for the free proxy! It's really really helpful for hacking stuff together, where I don't want to deal with running and coding something.

I could not find other contact to you, so I am writing here. :)

I will close this issue immediately

Just tried to circumvent cross origin request issues using the service but it doesn't seem to work. Somewhere I read that it is because Google won't serve data under http, but https... is there a way to fix that? Thanks!

The proxy allows an attacker to read the contents of any file present on the server:

$ curl -s http://crossorigin.me//app/index.js | head -n 34 | tail -n 1
        res.write(fs.readFileSync(req.url.slice(1)));

Posted on the wrong repo...

im trying to use crossorigen.me but this is not working with stream files, can u help me?

I wanted to use your http://crossorigin.me thingy with my couchdb revision tree visualizer. However, pouchdb shows the following error:

XMLHttpRequest cannot load http://crossorigin.me/daleharvey.iriscouch.com/grocery/?_nonce=1430764622203. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://localhost:8000' is therefore not allowed access.

Maybe you want to use some more advanced cors proxy that includes all the necessary headers?

Hi I am trying to implement the functionality where I need to fix crossorigin issue. I found crossorigin.me useful in this category. But the site is giving below error.

Error 522 Ray ID: 2938b7d5a0fb2ddf • 2016-04-14 17:01:24 UTC
Connection timed out

Could you please intimate? Also share the up time so that I can make a decision whether to consider for app or not.

Thanks.

seems like crossorigin.me is down . Can you be able to check for me

Hi! Not sure if this is the best place to put this, but I couldn't see an email address on your page. Firstly, thanks so much for putting this together – it's amazingly useful!

I've come across an issue when using crossorigin.me to fetch mp3 files from another server. When I try to set 'currentTime' to jump to a specific time, it resets it back to the beginning. Apparently this is due to the server needing to respond to byte range requests (see http://stackoverflow.com/a/9565178/4766571 and https://developer.mozilla.org/en-US/docs/Web/HTTP/Configuring_servers_for_Ogg_media#Handle_HTTP_1.1_byte_range_requests_correctly)

Is there any chance of implementing this?

Cheers!

it used to work as normal .

But today when I am invoking : https://crossorigin.me/https://www.google.com/

I am getting the error :
Origin: header is required

Any thing changed in there . Can you be able to help me resolving this issue . Thanks a lot for all your help.

This can be tested by a codepen from #50 http://codepen.io/anon/pen/JKKaZV

A request to http://api.forismatic.com/api/1.0/?lang=en&method=getQuote&format=json is stripped of its query params and becomes http://api.forismatic.com/api/1.0/ from crossorigin.

Hello,

I have some parse error with some SHOUTcast servers, examples:

http://crossorigin.me/http://198.50.246.192:9903/7.html
http://crossorigin.me/http://38.110.126.103:1448/index.html

Working example: http://crossorigin.me/http://206.190.143.197:8113/index.html

What's the problem ?

Several people have been overusing/abusing the service by downloading >1MB files every second, leading to a 6TB bandwidth usage in January. I'm thinking that the best way to deal with this is to restrict the size of files passed through the proxy (which might also help prevent pirating uses of the proxy, which I don't want).

However, I have no clue how to code this restriction - anyone have any ideas?

I'm trying this url: http://crossorigin.me/http://daleharvey.iriscouch.com/grocery/1323263686230-12546e1c-0087-4774-91fc-1407f2ad9306. It randomly fails with Error: make sure your URL is correct. If I keep refreshing it sometimes works and sometimes does not.

Judging by the list of banned sites, it seems to use a basic "indexOf" match regex | match. A list of regexes to match the site against would arguably be better for site ban rules.

https://​crossorigin.me/​https://​google.com
Doesn't seem to be working anymore.

Tested in Chrome 46 and Safari 9.0.1

I am seeing the following now when using crossorigin.me.

XMLHttpRequest cannot load https://crossorigin.me/http://mydomain/api. The 'Access-Control-Allow-Origin' header contains multiple values '*, https://creator.ionic.io', but only one is allowed. Origin 'https://creator.ionic.io' is therefore not allowed access.

Did something change regarding the header? It was working fine before and I have confirmed nothing has changed on the Ionic Creator side of things.

The service is down.

http://www.iswebsitedownnow.com/d/crossorigin.me

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Idea for v2

Cross Origin is up and down the last few days. Maybe for v2 you can have crossorigin.me/status just like github status

Hi.
I have been trying to get Nesbox to work with crossorigin.me (as a test). It runs AS3. I have looked in the browser console and it says it has tried to access http://crossorigin.me/crossdomain.xml, but there is a 500 error. Can this be fixed?
Thanks!

Please make crossorigin.me available over HTTPS!

This way it can be used in HTTPS pages without triggering mixed content errors.

At the moment, the easiest way to do this for free is to enable Cloudflare (takes 5 minutes). Soon, you’ll be able to use Let’s Encrypt.

https://crossorigin.me/https://google.com Error 502
The server is down ?

I am making one player with audio analyzer, But, it was getting CORS issue. So, i tried to use your link to access it like -- https://crossorigin.me/http://radio.streaminglive.eu:9058/;stream.mp3

But, it is giving some error like ==
HTTP load failed with status 500. Load of media resource https://crossorigin.me/http://radio.streaminglive.eu:9058/;stream.mp3 failed.

May you check and let me know the reason behind it?
The link is http://web-klocs.com/mpPlayer/

Thanks

Hi!

When I browse to https://crossorigin.me I get:

Error 521 Ray ID: 2ac87d989b7316ac • 2016-06-02 05:26:28 UTC
Web server is down

Could you have a look at it please?

Regards /Johan

@technoboy10: I was thinking that a small test suite (maybe written in Mocha) would be good to ensure that bugs and regressions don't creep in over time; depending on how into the idea you are, you (or I, if you're not sure how) could set up something like Travis CI or Wercker for auto-builds on commit/PRs; they both intergrate with
GitHub and let you know if a commit/PR is broken, and won't allow merging until it's been fixed, which is great!

I'm happy to sketch a few tests out and make a PR if that would help illustrate the idea, your thoughts?

No, and I'm pretty sure it shouldn't. If crossorigin.me supported those verbs, you could do some pretty messed up stuff.

That's, uh, not how it works. The requests would be sent from your end, and as you said, you don't forward cookies (even if you did, what's the worst they could do?).

In any case, nobody really uses PUT and DELETE anymore. People just gave up on the whole "semantic HTTP" thing and use GET/POST for everything—if you're lucky, they pay attention to idempotency.

POST requests, by the way, would be incredibly useful, since so many APIs listen to them.

Oh, and while I'm at it about security: you should either enable a legit SSL cert on your domain (non-free with Heroku) or tell folks that they can use atcors.herokuapp.com for secure connections. Otherwise they're open to mitming (again, what's the worst they can do?).

Offline again; I get a CloudFlare 522 connection timed out error.

Example: https://testssl-expire.disig.sk/index.en.html

Site is currently sown

Error 521 Ray ID: 2a3f895132bb2012 • 2016-05-16 14:31:59 UTC
Web server is down

I have a samsung galaxy s4 with custom rom "google play edition" and a nexus 9
all request returns 404

and the same request works fine on iphone & mac on the same network

Perhaps androids fault that it can't parse the url properly?

sample req: GET http://crossorigin.me/http://ifconfig.me

Support browser caching by forwarding the appropriate headers

Even though Paypal donations can now be made via http://donate.crossorigin.me/ or by becoming a patron for https://www.patreon.com/corsproxy the front page still only lists Bitcoin as donation method.

Adding those links to the front page and readme might motivate more people to support the project via donations.

It would be great if the users had the ability to bypass normal filters that check for specific patterns in the url, like "twitter.com", and this can be done in many ways

base64

say that after https://crossorigin.me/ we had something like b64:aHR0cHM6Ly90d2l0dGVyLmNvbQ==, that will evaluate to https://twitter.com, and the user can easily get it with btoa('https://twitter.com')

rot13

add a rot13 function for the users to call in the console (rather than explicitly in the page), so they can just rotate the characters and put the output of rot13('twitter.com:443') in https://crossorigin.me/r13:

polymorphic function

that changes every day or so, this way the url can't be checked easily, and you'd provide a function like rot13 that the user can look for in the JS code or by enumerating global variables

When I use the link http://api.forismatic.com/api/1.0/?lang=en&method=getQuote&format=json, it change the content every time the page is refreshed.

With the link https://crossorigin.me/http://api.forismatic.com/api/1.0/?lang=en&method=getQuote&format=json, it doesn't change at all. The content is the same every time the page is reloaded.

Example: http://codepen.io/techcater/full/qNbOWy/

Please take a look at this one.

Thanks,

I'm using this proxy to hit the CircleCI API, and to get JSON we need to add an Accept and Content-Type header.

When I do this, the proxy seems to wipe those headers? I attempted a self hosted version, and added those heads to the allowedOriginalHeaders.json file but with no success. I've also noticed that others are not having this problem, as those headers are available when they are displaying the details in other issues.

Am I doing something wrong, or missing a configuration step?

"Domains arn't free you know"
You got this from github you liar :3

Right now it is giving crossorigin.me server ip in remote ip address, it will be useful if there is way to get real user's ip address.

Code seems to eat up more and more memory the longer it runs. Maybe something to do with concurrent processing of requests?