search

Rob--W / cors-anywhere

CORS Anywhere is a NodeJS reverse proxy which adds CORS headers to the proxied request.
MIT License
8.62k stars 6.03k forks source link

Whitelisting subdomain doesn't work as expected #474

Open sibsfinx opened 10 months ago

sibsfinx commented 10 months ago

I'm running cors-anywhere via pm2:

CORSANYWHERE_WHITELIST=https://www.test.mydomain.com/,https://www.mydomain.com/ PORT=8080 pm2 start server.js --name cors-anywhere

when trying to reach it from a subdomain, I get 403:

const r = await fetch("https://cors.mydomain.com/https://some-iframe-url.io/", {
  "headers": {
      "origin": "https://www.test.mydomain.com/",
  }
});

// fails with 403
// The origin "https://www.gamma.vectary.com" was not whitelisted by the operator of this proxy.

But when doing the same from a 2nd level domain, it's all good

const r = await fetch("https://cors.mydomain.com/https://some-iframe-url.io/", {
  "headers": {
      "origin": "https://www.mydomain.com/",
  }
});

// 200 OK

Am I missing anything?