Rob--W / cors-anywhere

CORS Anywhere is a NodeJS reverse proxy which adds CORS headers to the proxied request.
MIT License
8.65k stars 6.07k forks source link

Cors Response missing Access-Control-Allow-Methods on mobile #207

Open tommyboylab opened 4 years ago

tommyboylab commented 4 years ago

Describe the bug My cors-anywhere server is not returning the data from the api endpoint on mobile

I'm using an axios.get request, and while using the page on a mobile phone, or mobile responsive windows in developer consoles (Chrome, Safari responsive modes) the response is missing Access-Control-Allow-Methods.

To Reproduce


const getData = async () => {
    try {
        axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
        const request = `https://proxy.com/https://site.data/`
        const response = await axios.get(request )
        return extractData(response.data)
    } catch (e) {
        return null;
    }
};

Expected behaviour Data should load, as it's loading on desktop resolutions (and in desktop mode on mobile phone browsers)

Environment:

Additional context/Screenshots AXIOS

Response Header in Desktop:

Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD, OPTIONS
access-control-allow-origin: *
access-control-expose-headers: content-type,x-ua-compatible,cache-control,pragma,expires,date,p3p,strict-transport-security,content-security-policy,content-encoding,transfer-encoding,server,x-xss-protection,x-frame-options,x-content-type-options,alt-svc,connection,x-final-url,access-control-allow-origin
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
cache-control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
content-encoding: br
content-security-policy: script-src 'report-sample' 'nonce-I127VgEm+tBFy2YSgJXSIg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/PhotosUi/cspreport;worker-src 'self', script-src 'nonce-I127VgEm+tBFy2YSgJXSIg' 'self' 'unsafe-eval' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com https://s.ytimg.com https://www.googleapis.com https://youtube.com https://youtube.googleapis.com https://maps.googleapis.com https://maps.gstatic.com https://www.googletagmanager.com https://www.googleadservices.com https://payments.google.com https://www.googleapis.com/appsmarket/v2/installedApps/;report-uri /_/PhotosUi/cspreport
Content-Type: text/html; charset=utf-8
Date: Tue, 10 Dec 2019 12:29:55 GMT
expires: Mon, 01 Jan 1990 00:00:00 GMT
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
pragma: no-cache
Server: nginx/1.14.0 (Ubuntu)
strict-transport-security: max-age=31536000
Transfer-Encoding: chunked
x-content-type-options: nosniff
X-CORS-Redirect-1: 302 https://photos.google.com/share/
x-final-url: https://photos.google.com/share/
x-frame-options: SAMEORIGIN
x-request-url: https://photos.app.goo.gl/
x-ua-compatible: IE=edge
x-xss-protection: 0

Request Header in Desktop:

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-CA,en;q=0.9
Connection: keep-alive
DNT: 1
Host: proxy.site.com
Origin: https://site.com
Referer: https://site.com/album/testing
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.70 Safari/537.36
Request Header in Mobile:

access-control-allow-origin: *
access-control-expose-headers: content-type,x-ua-compatible,cache-control,pragma,expires,date,content-security-policy,content-encoding,server,x-xss-protection,x-frame-options,x-content-type-options,alt-svc,connection,transfer-encoding,x-final-url,access-control-allow-origin
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
cache-control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
content-encoding: gzip
content-security-policy: script-src 'nonce-fjOgq7jgU4Dsl9ogIcxhZw' 'unsafe-inline';object-src 'self';base-uri 'self';report-uri /_/DurableDeepLinkUi/cspreport;worker-src 'self'
Content-Type: text/html; charset=utf-8
Date: Tue, 10 Dec 2019 12:33:43 GMT
expires: Mon, 01 Jan 1990 00:00:00 GMT
pragma: no-cache
Server: nginx/1.14.0 (Ubuntu)
Transfer-Encoding: chunked
x-content-type-options: nosniff
x-final-url: https://photos.app.goo.gl/
x-frame-options: SAMEORIGIN
x-request-url: https://photos.app.goo.gl/
x-ua-compatible: IE=edge
x-xss-protection: 0

Response Header in Mobile:

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-CA,en;q=0.9
Connection: keep-alive
DNT: 1
Host: proxy.site.com
Origin: https://site.com
Referer: https://site.com/album/testing
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
Rob--W commented 4 years ago

Access-Control-Allow-Methods is only included if the Access-Control-Request-Method header is set. This header is only relevant in preflight requests, i.e. OPTIONS requests. Browsers that wish to make a non-simple request via a special method should automatically set the Access-Control-Request-Method header.

If CORS Anywhere generates a Access-Control-Allow-Methods response header, it typically contains only one HTTP verb, because the Access-Control-Request-Method request header has only one verb. The fact that your sample response contains more than one HTTP verb suggests that the requested resource has added the CORS headers itself.

Are you sure that the issue that you're observing is caused by CORS Anywhere?

tommyboylab commented 4 years ago

I posted the same issue over at the Axios repo, here. They closed it under being a Sever (CORS?) issue. I'm not sure what is causing the issue, only that:

I was receiving CORS issues with the initial get request I created a cors-anywhere proxy and routed the api though it -> Worked as expected on desktop I tried the same request on mobile -> Failed to receive the same data I tried the request on mobile again, this time with desktop mode on -> Worked as expected

I'm not sure how to properly debug the request, or what the issue could be. Is there possibly any way to spoof the User Agent of the request? see if by forcing the desktop User Agent the content will load?

I'd like to do this at the request level, so users themselves don't need to switch their browsers manually

VITAL1E commented 3 years ago

@tommyboylab Hey, did you figure it out? I am having the same issue.

karsiong commented 2 years ago

omg...still happening!! after 3 year....same issue here axios get + cors everywhere

SeanOverton commented 2 years ago

I just had a seemingly similar issue. I found i needed to add into my allowed CORS policy on the server support for www.mydomain.com (as prevously I only had "mydomain.com"). Mobile broswers seemed to default to adding the www (eg. www.domain.com) which was not yet allowed in the server CORS policy.

karsiong commented 2 years ago

I just had a seemingly similar issue. I found i needed to add into my allowed CORS policy on the server support for www.mydomain.com (as prevously I only had "mydomain.com"). Mobile broswers seemed to default to adding the www (eg. www.domain.com) which was not yet allowed in the server CORS policy.

just modify the code with set able USER AGENT, the proxy will mirror everything including USERAGENT so when difference Client device call the proxy will have difference behavior, so for consistency just add confinable USERAGENT to the code.

var setUserAgent = process.env.CORSANYWHERE_USERAGENT;
if (setUserAgent) {
  serverOptions.setHeaders = {
    'user-agent': setUserAgent
  }
}
cleanspacedev commented 1 year ago

@karsiong Hi there, I was wondering where you added the code for the user agent. I am knew to CORS Everywhere and we are having the same issue with our mobile APIs not going through.