Require `Origin` header

hyperobject / crossorigin.me

A CORS proxy for everyone.

http://crossorigin.me

MIT License

679 stars 132 forks source link

Require `Origin` header #69

Closed tjvr closed 7 years ago

tjvr commented 7 years ago

Based on the previous PR #68, this delightful piece of code sends a 403 if people try to access crossorigin from:

the same origin (ie. crossorigin.me)
a browser, without using XHR
anything that doesn't set the Origin header

Pros:

Harder to abuse the proxy for casual browsing, eg http://crossorigin.me/http://scratch.mit.edu/ or http://crossorigin.me/http://imgur.com

Cons:

Not as easy to debug your code?
Trivially workaroundable -- curl -H 'Origin: foo' ...

hyperobject commented 7 years ago

Here's the gist of my concern about this: any AJAX/XHR request from JS should Just Work™. I'm not sure if standard ajax/xhr request things add these headers?

tjvr commented 7 years ago

XHR requests add CORS headers. I believe Origin is part of the CORS spec. This should allow any JS requests, while disallowing casual browsing.

hyperobject commented 7 years ago

(btw, can you rebase this on master? Looks like there are some conflicts in the test files)

tjvr commented 7 years ago

done :)