https://cors.bridged.cc/<website> still asks for 'Access-Control-Allow-Origin' header

[iWillBeUnderYourBed]

Hi,

I'm trying to use your CORS proxy by doing nothing but appending my URL to yours, but I get this message in the console:

Access to XMLHttpRequest at 'https://cors.bridged.cc/<website> from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

If this is the wrong place to ask for help, is there a better one?

[GwonHeeJun]

Our cors server is have requirement header, origin. Are you use platform is a Web or Server?

[iWillBeUnderYourBed]

I have a javascript website and use XMLHttpRequest to make a connection to a server. If I just use your url (https://cors.bridged.cc/) in front of the server url, I still get "no 'Access-Control-Allow-Origin' header". If i set the origin header in the javascript code: req.setRequestHeader('origin', ''); then I get "Refused to set unsafe header "origin"" in the browser console.

[GwonHeeJun]

Um.... origin is our server required header, Can I get your project repo link? or example?

[asktami]

I get 401 error ("Unauthorized request") when I use https://app.cors.bridged.cc/, AND I get

Access to fetch at 'https://cors.bridged.cc/https://asktami-noteful-api.herokuapp.com/api/notes' from origin 'http://localhost:5000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

locally in my react app when I do: npm run build, then server -s build.

[trungnt2910]

I've had the same problem:

Access to XMLHttpRequest at 'https://cors.bridged.cc/https://r1---sn-n4v7knls.googlevideo.com/videoplayback?' from origin 'https://app.cors.bridged.cc' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

This occurs both on my web app and on app.cors.bridge.cc

All other links are working properly.

[softmarshmallow]

Well we're sorry that it doesn't work on some links but what cors.bridged.cc does is pretty straight forward. I'm sorry to say this, but we'll need more information for that api having the problem.

listing up - api that doesn't work with cors.bridged.cc

• https://asktami-noteful-api.herokuapp.com/api/notes
• https://r1---sn-n4v7knls.googlevideo.com/videoplayback

[trungnt2910]

Well we're sorry that it doesn't work on some links but what cors.bridged.cc does is pretty straight forward. I'm sorry to say this, but we'll need more information for that api having the problem.

listing up - api that doesn't work with cors.bridged.cc

• https://asktami-noteful-api.herokuapp.com/api/notes
• https://r1---sn-n4v7knls.googlevideo.com/videoplayback

The second link is a random server when a Youtube video plays. cors.bridged.cc fails on ALL similar links.

[trungnt2910]

I don't think that those are the API's issue. Fetching other large binaries gives the error:

Access to XMLHttpRequest at 'https://cors.bridged.cc/https://speed.hetzner.de/100MB.bin' from origin 'https://app.cors.bridged.cc' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The files are simply hosted on https://speed.hetzner.de/. I grabbed the first file, and try to fetch it using cors.bridged.cc api.

I don't think this should have anything to do with speed.hetzner.de, fetching the home page works fine.

[trungnt2910]

Confirmed, this problem exists only for large files. Using the same app and method, I've downloaded a 11kB video using your CORS proxy.

Link here.

So are there any actual limitations to your CORS proxy? Because I can't find anything saying about limited response sizes.

[softmarshmallow]

cors.bridged.cc is hosted on aws lambda on us-west (ca) region. The lambda payload limitation is 16mb by default, but there must not be any issues with that 11kb-amount video/file.

[trungnt2910]

cors.bridged.cc is hosted on aws lambda on us-west (ca) region. The lambda payload limitation is 16mb by default, but there must not be any issues with that 11kb-amount video/file.

11kB gives me no problems. But ~500kB does. My current solution is now sending GET requests in chunks of 128kB, which works properly, but imposes speed limits. 16MB requests seems to be good enough for the average internet connection.

[gjaekel]

We're going to replace this cors-anywhere by your service. I patched a webpush-library to use it as an alternative

        if ( /https:\/\/fcm\.googleapis\.com/.test(self._opts.url) ) {
//            self._opts.url = 'https://cors-anywhere.herokuapp.com/' + self._opts.url
            self._opts.url = 'https://cors.bridged.cc/' + self._opts.url
            headersList.push(['x-requested-with', 'XMLHttpRequest'])
        }

For me, using Chrome it's still not working, too (https://github.com/igniterealtime/openfire-pade-plugin/issues/326#issuecomment-832516869):

Access to fetch at 'https://cors.bridged.cc/https://fcm.googleapis.com:443/fcm/send/fzutPTxcJ00:APA91bEb9DR1J4KNTZ8NGl8xieDgIyqDLFRiFRkhDmfPPn1UC4ZrL1h2jC92ZTB0v9OxzbiSAIqn1mBoK0SEyrDOosY650PU8N-W7C2iux6xjPM--UdeIp0YjZ4c0f_v5FSO_mNnctMc' from origin 'https://miet.dnb.de' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Here the corresponding Requests:

Preflight: 

Request URL: https://cors.bridged.cc/https://fcm.googleapis.com:443/fcm/send/czI4nQpzx10:APA91bGoRy5cbfFb8pMkwKFYh1HySYcBJt_meiktUauS_FA7qPPq5TIk3Y-wHgyCd3JiORqAefA6sS__sfJcgzAV98rqVxENsGPS2JW3dbajS6L-_6JV9hhBXutvvWh2ePHYjdYrKVcR
Request Method: OPTIONS
Status Code: 200 
Remote Address: 54.219.160.16:443
Referrer Policy: strict-origin-when-cross-origin

Response Header:
access-control-allow-headers: authorization,content-encoding,content-type,crypto-key,encryption,ttl,x-requested-with
access-control-allow-methods: POST
access-control-allow-origin: *
access-control-expose-headers: access-control-allow-origin,access-control-allow-methods,access-control-allow-headers
content-length: 0
content-type: application/json
date: Wed, 05 May 2021 10:01:40 GMT
x-amz-apigw-id: e2X4sFPcyK4FusQ=
x-amzn-remapped-connection: close
x-amzn-remapped-date: Wed, 05 May 2021 10:01:40 GMT
x-amzn-requestid: 901f3d2b-7877-4257-9938-645c728cd571
x-amzn-trace-id: Root=1-60926d04-261a3e655926dbb17df5c049;Sampled=0
x-powered-by: Express

Request Header:
:authority: cors.bridged.cc
:method: OPTIONS
:path: /https://fcm.googleapis.com:443/fcm/send/czI4nQpzx10:APA91bGoRy5cbfFb8pMkwKFYh1HySYcBJt_meiktUauS_FA7qPPq5TIk3Y-wHgyCd3JiORqAefA6sS__sfJcgzAV98rqVxENsGPS2JW3dbajS6L-_6JV9hhBXutvvWh2ePHYjdYrKVcR
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,de;q=0.8
access-control-request-headers: authorization,content-encoding,content-type,crypto-key,encryption,ttl,x-requested-with
access-control-request-method: POST
origin: https://miet.dnb.de
referer: https://miet.dnb.de/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

POST:

Response Header:
Request URL: https://cors.bridged.cc/https://fcm.googleapis.com:443/fcm/send/czI4nQpzx10:APA91bGoRy5cbfFb8pMkwKFYh1HySYcBJt_meiktUauS_FA7qPPq5TIk3Y-wHgyCd3JiORqAefA6sS__sfJcgzAV98rqVxENsGPS2JW3dbajS6L-_6JV9hhBXutvvWh2ePHYjdYrKVcR
Referrer Policy: strict-origin-when-cross-origin
content-length: 0
content-type: null
date: Wed, 05 May 2021 10:01:40 GMT
x-amz-apigw-id: e2X4uEP0yK4FbJg=

Request Header
:authority: cors.bridged.cc
:method: POST
:path: /https://fcm.googleapis.com:443/fcm/send/czI4nQpzx10:APA91bGoRy5cbfFb8pMkwKFYh1HySYcBJt_meiktUauS_FA7qPPq5TIk3Y-wHgyCd3JiORqAefA6sS__sfJcgzAV98rqVxENsGPS2JW3dbajS6L-_6JV9hhBXutvvWh2ePHYjdYrKVcR
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,de;q=0.8
authorization: WebPush eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwczovL2ZjbS5nb29nbGVhcGlzLmNvbSIsImV4cCI6MTYyMDI1MjA5OSwic3ViIjoieG1wcDpiYXN0ZWxrZWxsZXJAY29uZmVyZW5jZS5ldmFsLnhtcHAuZG5iLmRlLzE5YzE1ZGU4In0.KfpS1C74MPXoYcnKKxPFUEQ6iq4udQJtp_PTt80Sc_6jDSK1aPfO2NCtmC5vuNqTqaQkY2RyLBROrT2WIv1HmQ
content-encoding: aesgcm
content-length: 228
content-type: application/octet-stream
crypto-key: dh=BFxb6U_sZKWekhVI16PgWhM2ROd3c-tghj6pV5VlPZaQU6o_9zi30I_U3RRb3JsYi8C5vZmVqS0rzwDlJ_bzCT8;p256ecdsa=BDnq_SPfzPqKAJ3ZaQ4KMdVDXnxJRt6_bKzE2z0oicPkBuMzhS_4P8mnwhI4PlASm_jiNer-s9xjynSIJKQ4oAY
encryption: salt=ojHRJr4vLIFp39h_lFqI1A
origin: https://miet.dnb.de
referer: https://miet.dnb.de/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"
sec-ch-ua-mobile: ?0
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
ttl: 60
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
x-requested-with: XMLHttpRequest

Payload:
¨÷�s°É¨Jýé)ÝùYð��ªÆïík�|�jñÎ.¶Ú�z¥�Ü¥Y�þ�9��<��_����Ô�à �Â�ÆÉÓlÓüu�ùåã¥�½ªNBò'S^bÍ??Ê�ùûä�^�Ò�B±
�©¿�M·;ÒzÖ/MQ¾\.îѤSÞ R¹f¤�_�sªÊÞô�ø�î�Uye�3Â�å5¢#�â� q�ð�ÅÓÕ&�Àê\A.Ôø´vHWxø·��Q�jÁã���Òy�ímª�ÝþðVuµ�0¾Y?

To me, it seems that the CORS header announced by the OPTIONS request is not in the answer of the following PUT request.

[softmarshmallow]

Isn't is because simply missing authentication? (Also) You'll need to specify one of the header origin,x-requested-with - the value doesn't matter.

[gjaekel]

Isn't is because simply missing authentication? (Also) You'll need to specify one of the header origin,x-requested-with - the value doesn't matter.

As you can see this is set; I actually pasted the code change and the whole log of the OPTIONS and PUT request.

[softmarshmallow]

Isn't is because simply missing authentication? (Also) You'll need to specify one of the header origin,x-requested-with - the value doesn't matter.

As you can see this is set; I actually pasted the code change and the whole log of the OPTIONS and PUT request.

How about the header? mentioned above

try empty value instead of ['x-requested-with', 'XMLHttpRequest']

[gjaekel]

[...]
origin: https://miet.dnb.de
[...]
x-requested-with: XMLHttpRequest

[gjaekel]

try empty value instead of ['x-requested-with', 'XMLHttpRequest']

will try ...

[softmarshmallow]

It might be more helpful for you to find answers from https://github.com/igniterealtime/openfire-pade-plugin/issues/326 since as cors.bridged.cc behaves exactly the same as cors anywhere.

Or perhaps do you want me to refer this issue on cors anywhere? (I'm not quite sure i can help you with this case any further.)

[gjaekel]

Thank you, but you point me to our own projects issue that I'm going to resolve. :)

Yes, it behaves the same way with the exception of the additional header, which triggers the preflight handshake -- because of the additional header. The OPTIONS request from this will be accepted by Chrome, but not the POST request.

try empty value instead of ['x-requested-with', 'XMLHttpRequest']

as expected, there is no difference. May you send me the exact logs of the request on your side?

[gjaekel]

At https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS it is written:

Note

As described below, the actual POST request does not include the Access-Control-Request-* headers; they are needed only for the OPTIONS request.

Might it be a bug of Chrome that this browser expect it, nevertheless for the POST request?

[aacassandra]

Hi. @softmarshmallow , this works good in official web https://app.cors.bridged.cc/id?method=GET&url=https%3A%2F%2Fcdn.idntimes.com&path=%2Fcontent-images%2Fpost%2F20181230%2F1-16f73d6c873acca7d7977e8e40a61be8.jpg

but, when im implementing it on my code. im using flutter web & deploy it into firebase hosting. im still getting the cors errors again

has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Update: Solved, when im using https://cors-anywhere.herokuapp.com.

[softmarshmallow]

@aacassandra We'll need more information. app.cors.bridged.cc uses the exact same api. Question: Are you using DIO?

[aacassandra]

@softmarshmallow , no, im not using DIO, only use http.get with Uri.https(...) from flutter.

[mikelgmh]

I'm facing the same issue. It worked for me days ago. My headers include access-control-allow-headers: [], x-requested-with: XMLHttpRequest, x-requested-by.

But there's something even more strange, making the request using the webapp (https://app.cors.bridged.cc/) works, but using the API (https://cors.bridged.cc/) doesn't.

This is the endpoint I'm calling to: https://www.bilbao.eus/cs/Satellite/bilbobus/es/linea?temporada_linea=VE&codLinea=01&Trayecto1=1

I'm using AJAX to fetch the data in Javascript, and the app is running on localhost.

[cindycc21]

I am new to this - was a user of cors-anywhere. I read above that you need headers to use https://cors.bridged.cc. I am writing in Javascript, using fetch in a web app. The code is like this:

`const extraHeaders = { method: 'get', headers: new Headers({ "accept": "application/json", 'Authorization': "Bearer KEY FOR YELP",
}) }

let URL = 'https://cors.bridged.cc/https://api.yelp.com/v3/businesses/search?location=' + locations + '&term=' + term + '&price=' + price function getYelp() { fetch(URL,extraHeaders) .then(function(response) {
return response.json() }) .then(function(data) { console.log(in second then) freeData(data) }) .catch(function() { // catch errors }) }`

When called and run, the browser gives this error. If I use cors-anywhere in front of the API url, it works. Thoughts?

[vfonsecaz]

I can confirm there's a problem with the response size! Currently I have no problem downloading (via ajax/XMLHttpRequest request) json's up to about 3mb, but bigger than that i get an error (the same with the app)

[softmarshmallow]

@vfonsecaz the current limit of the payload is 2mb https://github.com/gridaco/base/blob/main/cors-service/src/limit/payload-limit.ts