A Cloudflare Worker that proxies any request and injects certain headers that allows the resource to be accessed from cross origins.
This worker allows any fully qualified URL to be proxied, if for some reason an invalid URL is provided, it will return a 400 Bad Request response containing the faulty URL string.
Once you have this Cloudflare Worker up and running, you can just prepend its url to whatever resource needs CORS.
const corsProxy = 'https://worker.example.com/'
// This is a direct request, which will be blocked.
myRealRequest('https://blocked.cors.net/resource.jpg?id=1234')
// This is a proxied request, which will _not_ be blocked.
myRealRequest(`${corsProxy}https://blocked.cors.net/resource.jpg?id=1234`)
function myRealRequest(url) {
fetch(url).then(response => myProcessingFunction(response))
}Constant Headers - Headers that will always be returned in the response
| Header | Value |
|---|---|
Access-Control-Allow-Origin |
* |
Access-Control-Expose-Headers |
* |
Variable Headers - These headers have special behaviors depending if they are used or not during the request
| Header | Behavior |
|---|---|
Access-Control-Max-Age-Override |
Value is cloned into Access-Control-Max-Age |
Access-Control-Request-Methods |
Value is cloned into Access-Control-Allow-Methods |
Access-Control-Request-Headers |
Value is cloned into Access-Control-Request-Headers |
These are the environment variables that are currently supported
| Environment Variable | Description | Response when Triggered |
|---|---|---|
WCA_DESTINATION_HOSTNAME_ALLOW_LIST |
Comma separated list of domains that are allowed to be proxied | 403 Forbidden |
WCA_DESTINATION_HOSTNAME_BLOCK_LIST |
Comma separated list of domains that are blocked from being proxied | 403 Forbidden |
WCA_REQUIRE_ORIGIN |
If set to true, either the Origin or X-Requested-With headers are required | 400 Bad Request |
WCA_ORIGIN_HOSTNAME_ALLOW_LIST |
Comma separated list of origin domains that are allowed to request a proxied resource | 403 Forbidden |
WCA_ORIGIN_HOSTNAME_BLOCK_LIST |
Comma separated list of origin domains that are blocked from requesting a proxied resource | 403 Forbidden |
This project currently has only two dependencies, this is because of the current bugged state of the built-in runtime URL library, which causes URLs to be improperly parsed, example:
Input: https://worker-cors-anywhere.example.com/https://www.google.com/
Output: https://worker-cors-anywhere.example.com/https:/www.google.com/ (It loses a / from the first // found in the URL path)
Therefore, whatwg-url is used as a URL substitute and webpack to build the project into a single Cloudflare Workers compatible script.
To generate using wrangler
wrangler generate projectname https://github.com/Seenko/worker-cors-anywhere
Further documentation for Wrangler can be found here.