{"id":18448378,"url":"https://github.com/darkseal/corsflare","last_synced_at":"2025-10-05T18:07:42.985Z","repository":{"id":37544572,"uuid":"281807211","full_name":"Darkseal/CORSflare","owner":"Darkseal","description":"A lightweight JavaScript CORS Reverse Proxy designed to run in a Cloudflare Worker.","archived":false,"fork":false,"pushed_at":"2020-09-13T20:06:49.000Z","size":56,"stargazers_count":163,"open_issues_count":5,"forks_count":49,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-06-21T04:48:38.075Z","etag":null,"topics":["access-control-allow-origin","cloudflare","cloudflare-worker","cloudflare-workers","cors","cors-proxy","cors-proxy-serverless","cross-site","fetch","fetch-api","iframe","javascript","nodejs","reverse-proxy","same-origin-policy","x-frame-options","xmlhttprequest"],"latest_commit_sha":null,"homepage":"https://www.ryadel.com/en/portfolio/corsflare/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Darkseal.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-22T23:53:20.000Z","updated_at":"2025-06-02T09:30:03.000Z","dependencies_parsed_at":"2022-09-09T04:11:50.759Z","dependency_job_id":null,"html_url":"https://github.com/Darkseal/CORSflare","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Darkseal/CORSflare","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Darkseal%2FCORSflare","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Darkseal%2FCORSflare/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Darkseal%2FCORSflare/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Darkseal%2FCORSflare/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Darkseal","download_url":"https://codeload.github.com/Darkseal/CORSflare/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Darkseal%2FCORSflare/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278494644,"owners_count":25996414,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-05T02:00:06.059Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control-allow-origin","cloudflare","cloudflare-worker","cloudflare-workers","cors","cors-proxy","cors-proxy-serverless","cross-site","fetch","fetch-api","iframe","javascript","nodejs","reverse-proxy","same-origin-policy","x-frame-options","xmlhttprequest"],"created_at":"2024-11-06T07:15:44.567Z","updated_at":"2025-10-05T18:07:42.968Z","avatar_url":"https://github.com/Darkseal.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CORSflare\nA lightweight JavaScript CORS Reverse Proxy designed to run in a Cloudflare Worker.\n\n## Introduction\nCORSflare is a reverse proxy written in JavaScript that can be used to bypass most common Cross-Origin Resource Sharing restrictions,\nsuch as:\n\n* **Frame/Iframe**: *Refused to display [some URL] in a frame because it is set 'X-Frame-Options' to 'SAMEORIGIN'*\n* **XMLHttpRequest**: *XMLHttpRequest cannot load [some URL]. Origin [some origin] is not allowed by Access-Control-Allow-Origin*\n\n... And so on.\n\nThe proxy has been designed to run within a Cloudflare Worker, which is freely available for up to 100.000 requests per day;\nthis basically means that you can use this proxy to put any external web page within a `\u003ciframe\u003e` element, \nand/or call a external API via AJAX, and/or to bypass any common CORS restriction without spending a penny, \nassuming you don't have enterprise-grade service level requirements.\n\n### Wait a minute... what is CORS?\nIf you've stumbled upon this project there's a high chance you already know what CORS actually is \nand why you need to bypass such policies: if that's the case, just skip this section and go ahead.\n\nIn the unlikely case you don't, just know that *Cross-Origin Resource Sharing* (CORS) is a mechanism that uses \nadditional HTTP headers to tell browsers to give a web application running at one origin, \naccess to selected resources from a different origin.\n\nA web page executes a *cross-origin* HTTP request when it requests a resource that has a different origin\n(domain, protocol, or port) from its own. For security reasons, modern browsers restrict some of those cross-origin HTTP requests \n(`script`, `iframe`, JS-initiated requests such as `XMLHttpRequest` and `Fetch API` calls, and so on) because they could \nbe abused in various ways. These restrictions are applied using a `same-origin` policy, which explicitly prevents the browser\nfrom requesting those kind of resources unless they come from the *same origin* (FQDN) of the HTML page (or script) that tries \nto load them.\n\nThe following diagram explains such concept in a visual way:\n\n![Cross-Origin Requests](https://mdn.mozillademos.org/files/14295/CORS_principle.png)\n\nThe only way to overcome the same-origin` policy is to ensure that the requested resource from other origins \nincludes the right HTTP headers, such as the following ones:\n* [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin),\nwhich indicates whether the response can be shared with requesting code from the given origin.\n* [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options), that can be used to indicate \nwhether or not a browser should be allowed to render a page in a `\u003cframe\u003e`, `\u003ciframe\u003e`, `\u003cembed\u003e` or `\u003cobject\u003e` HTML element.\n\nIf you can access (or ask) the server hosting the \"other origin\" resources and configure those headers to authorize your domain,\nthere's a high chance you don't need to use this proxy or other workarounds: that's the proper (and most efficient) way to fix\nyour issue.\n\nConversely, if you don't have access to those resources and/or can't change their HTTP headers, you might find \nthe CORSflare Reverse Proxy useful enough, since it's specifically designed to remove such limitations.\n\n## How it works\n\nHere's a diagram that shows how the CORS reverse proxy actually works:\n\n![CORS Reverse Proxy](https://www.ryadel.com/wp-content/uploads/2020/07/cors-reverse-proxy-diagram.png)\n\nIn a nutshell, the proxy will respond to the preflight request issued by the *Front End App* (for example, a web browser) \nby setting the \"CORS allowed\" headers: right after that, it will forward the request to the target server, receive its response \nand send them back to the client app without the `same-origin` limitations.\n\nMoreover, **CORSflare** can also be configured to perform some other additional tasks, such as ''on-the-fly'' text replacing \n(to handle inner links, URLs and so on), cache control overrides, blacklist traffic coming from certain regions / countries IP addresses, \nand so on.\n\n## How to install\nTo setup CORSflare within a Cloudflare Worker, follow these steps:\n* **Download the latest CORSflare version** from the CORSflare GitHub page: you'll only need the `CORSflare.js` JavaScript file.\n* **Login to Cloudflare**. If you don't have an account, create one: it's free \nand the basic plan will arguably be enough for most common scenarios, as it will grant 100.000 requests per day.\n* **Navigate to the *Workers* section** using the top-level menu.\n* **Create a new worker**. If it's the first time you do that, you'll also be asked to choose a subdomain, such as `domainName.workers.dev`.\nThe subdomain name will be appended to the worker's name to form the worker's FQDN, such as `workerName.domainName.workers.dev`.\n* **Paste the CORSflare.js source code within the worker code**.\n* **Setup the CORSflare configuration settings** by following the instructions in the code comment sections (or see below).\n\n## Configuration Settings\nCORSflare's configuration settings can be set via some JavaScript constants \u0026 variables placed at the beginning of the source code.\nThe best way to do that is to read the code comments. However, here's a quick breakdown of the most relevant options:\n\n* **upstream** : The hostname of the upstream website to proxy (example: `www.google.com`).\n* **upstream_mobile** : the hostname of the upstream website to proxy for requests coming from mobile devices (example: `www.google.com`);\nif the upstream website doesn't have a dedicated hostname for mobile devices, you can set it to NULL.\n* **upstream_path** : custom pathname for the upstream website ('/' will work for most scenarios).\n* **upstream_allow_override**: set it to TRUE to allow the default upstream to be overridden with a customizable GET parameter, FALSE otherwise.\n* **upstream_get_parameter**: the GET parameter that can be used to override the default upstream if `upstream_allow_override` is set to TRUE (default is `CORSflare_upstream`).\n* **blocked_regions** : an array of countries and regions that won't be able to use the proxy.\n* **blocked_ip_addresses** : an array of IP addresses that won't be able to use the proxy.\n* **https** : set this value to TRUE to fetch the upstream website using HTTPS, FALSE to use HTTP.\nIf the upstream website doesn't support HTTPS, this must be set to FALSE; also, if the proxy is HTTPS,\nyou'll need to enable the replace_dict rule to HTTPS proxy an HTTP-only website (see below).\n* **http_response_headers_set** : an array of HTTP Response Headers to add (or to update, in case they're already present \nin the upstream response); this option can be used to circumvent the `same-origin` policy \nbecause it allows to set the `X-Frame-Options` and `Access-Control-Allow-Origin` headers to allow cross-origin requests.\n* **http_response_headers_delete** : an array of HTTP Response Headers to delete (if present in the upstream response);\nthis option can be used to circumvent the `same-origin` policy because it allows to remove the `Content-Security-Policy` headers before serving the upstream pages to the end-user client.\n* **replacement_rules** : Can be used to define custom text replacement rules (see section below).\n* **replacement_content_types** : Can be used to specify the returned content's content-type(s) to apply\nthe `replacement_rules` to.\n* **replacement_use_regex** : Can be used to enable or disable RegEx syntax in replacement rules.\n\n### Text Replacement Rules\nThe `replacement_rules` array can be used to configure the text replacement rules\nthat will be applied by the proxy before serving any text/html resource back to the user.\n\nThe common usage of such rules is to \"fix\" non-standard internal URLs and/or local paths\nwithin the upstream's returned contents (html pages, css, js, internal links, custom fonts, and so on,\ndepending on the content type(s) specified in the `replacement_content_types` array) and force them \nto pass to the proxy; however, they can also be used to alter the response content in various ways\n(change a logo, modify the page title, add a custom css/js, and so on).\n\nEach rule must be defined in the following way:\n\n    '\u003csource_string\u003e' : '\u003creplacement_string\u003e'\n\nThe following dynamic placeholder can be used within the source and replacement strings:\n\n* `{upstream_hostname}` : will be replaced with the upstream's hostname\n* `{proxy_hostname}` : will be replaced with this proxy's hostname\n\n**HINT**: Rules are processed from top to bottom: put the most specific rules before the generic ones.\n\n## Useful References\n* [CORSflare official project page](https://www.ryadel.com/en/portfolio/corsflare/)\n* [CORSflare setup guide](https://www.ryadel.com/en/corsflare-free-cors-reverse-proxy-bypass-same-origin/)\n* [CORSflare's GitHub page](https://github.com/Darkseal/CORSflare)\n\n## Credits\nCORSflare is strongly based upon the following projects:\n* [worker-proxy](https://github.com/Berkeley-Reject/workers-proxy/) by [Berkeley-Reject](https://github.com/Berkeley-Reject) (MIT License)\n* [cloudflare-cors-anywhere](https://github.com/Zibri/cloudflare-cors-anywhere) by [Zibri](https://github.com/Zibri) (MIT License)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkseal%2Fcorsflare","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarkseal%2Fcorsflare","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkseal%2Fcorsflare/lists"}