Allow cookies behind flag

[si13b]

Hi!

Thanks for this great little tool you've built. It's been great for us to use as part of a development server.

One little nit for us is the omission of the set-cookie header, because we depend on this for authentication. I understand that you've disallowed this to avoid security issues in production, but since we're using it in a development server we would like to allow it.

Is it possible you could add an option to allow cookies, perhaps hidden behind an obscure flag (e.g. dangerouslyAllowCookies)?

[Rob--W]

to avoid security issues in production, since we're using it in a development server we would like to allow it.

This line of thinking is dangerous ;)

Adding such a blanket flag is not secure unless it is guaranteed that the CORS server only proxies responses for a single origin.

If you do really want an option to allow cookies, please submit a pull request that does the following:

• The feature is disabled by default: unless the flag is set, remove the cookie (as is done at the moment - https://github.com/Rob--W/cors-anywhere/blob/efc13eec1fedaf01d1bb44a43d995228ce86fd61/lib/cors-anywhere.js#L176-L178).
• Whenever there is a Set-Cookie/Set-Cookie2 header, rewrite the URL so that a path is added to the cookie, containing the domain+path part of the original cookie. Note: Because cookies can be any arbitrary domain suffix, and the path can only match one prefix, you should probably use something like "path=/https://example.com/original-path-here". As a result, cookies won't be shared across subdomains, but implementing this is not feasible.
• Preferably (strongly!), mark all cookies as Http-only, because CORS Anywhere is not supposed to be used for direct requests. If someone does decide to disable the origin/x-requested-with check, then cookies should not suddenly become available to scripts because that usage is highly insecure. -Cookies will only work in the browser when Access-Control-Allow-Credentials:true is set. This header cannot be used in conjunction with a wildcard Access-Control-Allow-Origin header; PR #52 adds an option to use non-wildcard origins, so in the documentation for your new option you should mention that the other option should be set as well.
• The pull request must include unit tests that verifies the expected behavior.

[jeetgit]

Hi,

Thank you for this great tool. I just need little more help from you. Need to include the cookie in the CORS request. I tried adding with credential="true" command in my request but with that cookie is not going through the cors request. Is there any way to make it possible?

Thanks in advance

[Rob--W]

Need to include the cookie in the CORS request. I tried adding with credential="true" command in my request but with that cookie is not going through the cors request. Is there any way to make it possible?

As an API user (from the client side)? No. As the host of CORS Anywhere? Only if you modify the server. I described in an earlier comment how this can be implemented.

[jeetgit]

Thanks for the fast reply. Yes, I hosted an instance of CORS Anywhere. Looking for the place where to change and what to change in the files (in the CORS Anywhere files) to send the cookies in the request.

[Rob--W]

@jeetgit See https://github.com/Rob--W/cors-anywhere/issues/56#issuecomment-267905416 to see what to change, and where to change it.