A CORS error is one of the most common website development issues where users see broken images, video players not showing, or website functions not working.
These errors happen when a server hosting the requested content refuses a CORS request based on its configuration.
Proxy servers, specifically CORS proxies, can resolve this but with a few caveats.
Continue reading to learn more about CORS proxies and the risks associated with their use.
🔑 Key Takeaways
- CORS proxies help resolve CORS errors by acting as middlemen between the client’s browser and the server hosting the content.
- Risks associated with CORS proxies include security issues, potential cookie leakage, and the possibility of server-side request forgery (SSRF).
- Use trusted paid CORS proxy providers or set up your proxy server to mitigate security risks.
- Implementing whitelisting origin requests can help prevent SSRF attacks by restricting proxy responses to safe listed targets.
What is CORS?
Before diving into CORS proxies, it is crucial to understand what CORS is and how it works.
CORS, or Cross Origin Resource Sharing, is a mechanism used to request content hosted on a server of a different origin.
To give you some clarity, here are some CORS examples.
- An image used in a website but is hosted on another website or server
- JS scripts or JSON hosted in another server or sub-domain
CORS mechanism is usually adapted as a flexible solution since most web browsers implement the same-origin policy for end-user safety.
With the Same-Origin policy, websites can only source content if it comes from the same domain, port number, and security protocol. This is not always the case, so CORS comes into the picture.
To gain a better understanding of what CORS is, check out the video below:
🎥YouTube Video: CORS in 100 Seconds (00:00-01:11)
To overcome errors due to denied requests, the host server must change its CORS configuration or use a CORS proxy.
What is CORS Proxy and How It Works
📖Definition A CORS proxy acts as a middleman between the requesting client or browser and the server hosting the desired content. CORS proxies are created to overcome CORS errors. |
Based on the example given above, here’s how a CORS proxy will work:
- The browser will send the request to the CORS proxy server.
- The CORS proxy will then forward the request to example2.com.
- The host of example2.com sends the response to the CORS proxy.
- CORS proxy will forward the response to the browser client with proper headers.
- The browser will approve and render the content.
It may look easy, but there are security risks involved in using CORS proxies. These risks will be discussed in the next section.
Risks Of Using CORS Proxies
Here are the risks involving the use of CORS proxies and how they can be handled:
1. CORS Proxies Know It All
CORS proxies can do anything with the traffic that passes through them.
Sending traffic to a CORS proxy means that you absolutely trust the proxy. It can read all the data you pass through, with almost no exception.
Free proxies are dangerous, let alone free CORS proxies.
For example, if your site is set up to get JavaScript content from a different origin, you also allow the CORS proxy to run any JS script.
Letting other people take control of your site’s functions can be terrifying. It is better to create your own proxy server for CORS or rely on a trusted paid provider is better.
✅ Pro-tip: Always do a thorough check before choosing a proxy provider, even if you’re planning to use paid ones. This ensures better security and minimizes the associated risks. |
2. Cookies May Leak To Unintended Destination
Responses from the requested servers may include cookies. Browsers may be unable to differentiate their intended use as they only interact with the CORS proxy server.
Let’s say example.com need to source content from example2.com.
The browser sends a request to the CORS proxy server, and the response indicates a “set-cookie” header. The cookie intended for example2.com is saved on the browser.
On another site section, example.com need to source content from example3.com.
The browser sends a request to the CORS proxy but includes the cookies intended for example2.com. It only interacts with the CORS proxy, so it does not know the difference.
It all comes down to how much you trust the proxy server and the servers hosting the content you need.
If you have control of the CORS proxy server, it might be better to remove cookie headers altogether. The same is true for allowing the transfer of credentials.
✅ Pro-tip: To avoid the risk of cookies being sent to unintended destinations, you should consider removing cookie headers and assess the reliability of the proxy and content-hosting servers. |
3. Server-Side Request Forgery
If you decide to host an internal CORS proxy, there is a danger that your internal network will be exposed to outside users.
This attack is also known as server-side request forgery (SSRF). This can be done by sending a request through the proxy to access internal resources.
A user can set the destination to 127.0.0.1 or localhost to command the proxy to look back at its network.
This attack can potentially acquire admin interface access or obtain sensitive information.
✅ Pro-tip: Whitelisting origin requests can help avoid this. By allowing requests from trusted sources only, you can reduce the risk of unauthorized access to sensitive internal resources. |
Best CORS Proxies You Can Use
While there are risks to using CORS proxies, there are also ways to mitigate them.
As long as they are used cautiously, CORS proxies have the potential to be a long-term solution to CORS errors.
With that in mind, here is a list of CORS proxies that you can employ:
1. Cloudflare
Price: Free Plan – 100,000 requests per day $5/month – 10 million requests per month |
Key Features: |
Cloudflare is one of the leading CDNs in the world. What makes it popular is its free plan with no time limit.
Its CORS proxy works through the Cloudflare Workers. One of its remarkable features is content caching. It makes the proxy ready for delivery for the subsequent request of the same header.
Keep in mind that you have to pay to extend the features and increase the number of requests.
However, it is guaranteed to be worth the money—given that CloudFlare is a trusted brand that supports over 27 million websites worldwide.
2. CORS Anywhere
Price: FREE |
Key Features: |
CORS Anywhere is a viral open-source module for Node.js.
It lets you run a proxy server for CORS locally. This will bypass the CORS limitation imposed by the browser since CORS is a policy from the browser.
This tool will reroute the request to the local proxy. The proxy will fetch the data from the target origin, then pass it to the browser with proper headers.
CORS Anywhere is a free tool attractive to developers and website owners. The downside is you will always have to run Node.js to keep it working.
3. CORS.SH
Price: $4/month – 500,000 requests per month |
Key Features: |
Another paid CORS proxy service is CORS.SH. The code here is based on CORS Anywhere but with an added playground.
The basic plan can support up to 500,000 requests per month with no hourly limit.
CORS.SH will save you from running Node.js all the time to keep the proxy working.
However, you should remember the basic CORS proxy precautions when using someone else’s CORS proxy.
Conclusion
CORS proxies have some serious safety issues, but taking the necessary precautions can be a reliable solution for overcoming CORS errors.
Some CORS proxies are limited to test use and not production. You should keep an eye on the use-case recommendations on any CORS proxy you can find.
FAQs
What happens when you enable CORS?
This means you are allowing HTTP requests to source content from your server. You can whitelist the domains that send you these requests, so there should be no problem.
What issues does CORS prevent?
CORS prevents arbitrary and unrestrained requests to any website’s or server’s resources. It considers the existence of requests from malicious scripts that aim to steal sensitive data.
What is the impact of CORS vulnerability?
If CORS is poorly configured, servers may respond to almost any request and leak sensitive data.
Timeline Of The Article
By Harsha Kiran
Harsha Kiran is the founder and innovator of Techjury.net. He started it as a personal passion project in 2019 to share expertise in internet marketing and experiences with gadgets and it soon turned into a full-scale tech blog with specialization in security, privacy, web dev, and cloud computing.