See the entire conversation

(yes i am sad because an interesting side project just fell apart due to a lack of CORS headers. And no, proxying isn't an option due to the resource sizes)
85 replies and sub-replies as of Jan 28 2020

💭 I'll explain why I'm ranting about CORS. 💭 But wait, folks are just going to tell me to use a proxy. 💭 It's ok, I'll avoid that by saying a proxy isn't the answer. HAHA ➡️WRONG⬅️
It's ok, I've got a video coming out later where I claim that URLs are impossible for humans to understand, and that browsers should change how their URL bars work. I'm sure Twitter will be a much nicer place then.
preemptive RIP jake
also I pledge to watch at least 60 seconds before I disagree
I’ll watch for as long as it takes to type “well actually”
👋🏻 You had a good run, Jake. Blessings on what’s next.
Frankly Jake I'm just bored of you having opinions that differ to mine and that you have the audacity to share them on social media
Hi Jake, have you tried using a proxy? I think it’s the answer to all your problems and it’s clear you haven’t thought of it. I can explain how it works if you want! I know you must not know because you obviously haven’t exhausted that idea yet :)
I didn't read the original tweet, but did you try updating your drivers?
Hey Jake, I hope you’re having a wonderful day. Do you have a moment to talk about our lord and saviour, Proxy?
ugh proxies are a pain in the arse, I made one for my podcast web app for the audio files, so tricky to hook everything up and it still wouldn't work right most of the time.
If you have the time/energy you might want to look at service workers acting as browser-local proxies for that sort of content.
They can't add CORS headers to something that didn't already have CORS headers. If they could do that, it'd break the whole security model of the web.
All I can say is that there is more flex there than might be obvious. But yep, in the end you need some co-operation from the site that hosts the mp3s in this case.
I'm somewhat familiar with service workers
and by "somewhat" you mean "extremely" 😆
I should give you a demo of our hack some time.
Oh Jake... those replies... I feel very sorry for you 😂
Couldn't you have just explain it via a proxy?
For real though can we get a serious answer for why a Proxy wouldn't work? (when you're less pissed 🙂)
The idea was to build a tool that would help folks sync items in a Google Photos album to a local directory. I use a node script for this, but… would bring it to the web. Unfortunately, although the Google Photos API supports CORS, the image URLs don't. …
A proxy would be transferring 100s of megabytes, if not gigabytes, which would be a maintenance and cost burden. Also it defeats the point of a project that was about powerful features on the frontend.
Makes perfect sense - thank you.
Ah and embedding an image is fine but getting it's content requires CORS. It makes sense but :(
I don't see why they can't add CORS headers, they just haven't.
Wait ...... .......... Don't you work for Google? Surely you can just Slack the relevant engineer and just get them to add a fucking CORS header???? Or add a new endpoint?!?!?!?! That project sounds seriously cool.
Haha yeah, I got in contact with them, but they're unsure about it from a security point of view. It might be a misunderstanding of how CORS works, hence
PSA: It's safe to put "Access-Control-Allow-Origin: *" on any response, *unless* that response's data is 'secured' by something other than cookies, basic auth, or TLS client certificates.
Ohhhhhh. Sub-tweeting your own colleague ;)
It could be that I'm missing some complicating factor. I've definitely been wrong before 😀
Reasons I like being a Chrome Extension Dev, #99: - I can blow up CORS when I need to by adding the domain to my permissions list in the manifest.
Maybe I should actually make a real list of these... Floating in the top 10 would be “I can always assume the user is using a modern browser, and can use new/novel APIs and JS features in the browser often without polyfills or fallbacks.“
Oh. Help me understand? Either an article or a Skype call ?
Someone didn't add CORS headers to an API
Right, but how does a whole project fall apart? Isn't it fixable?
No, the browser needs to be able to access that particular resource.
I've had an issue open on a bug tracker for years, for a project whose assets are on S3, just for them to adjust the config to enable CORS headers. Is frustrating.
When people compare web apps to native ones, CORS is rarely in the conversation. Native apps have that over web. I’ve abandoned a side project for the same reason.
How does the resource size impact the ability to proxy? Potential cost, or a technical reason?
(and also maintenance of adding a server to a project that otherwise wouldn't need one, and not needing one was kinda the point)
boy do I have a project for you
I've had the same problem with github, they don't have CORS headers on their git over https endpoint, which both bitbucket and gitlab does. So just for github I was forced to have a serverside proxy. Just for them. 😕
I still have hope for that proposal (by FF IIRC?) to come around eventually
Same issue with back in the day. Had to add a server just to proxy the currency rates from the European Central Bank. It's frustrating 😕
If a client-side project, you could deploy to @Netlify and leverage redirects as a proxy with no cost implications . Just a thought.
Netlify has bandwidth limitations for free projects. Like I said, proxying isn't really an option here.
I personally became a hater of CORS lately! Any bad intentioned one could proxy requests with two lines of code in node. Only good people have to waiste their times dealing with it :/ I know there are other (also skipable) reasons, but are they worth it nowadays?! :(
Put your project behind some WAF (Web Application Firewall) isn't an option?
I don't really know what that means
WAF is a layer (works like a proxy) focused in security. WAF mitigate DDoS, Script Injections and put a lot of headers and security enhancements in your requests. CloudFare offer WAF as a service, you can see more in…
I don't see how this solves the problem I'm having
You tell proxy isn't an option because the resource sizes. Using WAF, you could proxy big resources, increasing security and including CORS, CSP and any security headers you want. Maybe I'm not understanding your problem clearly.
Is doing this free? For potentially 100s of gigabytes of data?
proxying isn't an option due to the resource sizes
maybe a local proxy and a headless browserver can do the trick
And get every user to install a local web server to use the site?
no, you can configure your server to headlessly browse the ressources and then stream it to the user
This is called 'proxying' right?
yeah give it a try
IK you said no proxying, but have you considered Cloudflare Workers? Large free tier (10m req) then 0.50$ per million req. They have no price on bandwidth so large files are not an issue. CORS example:… Bonus: Workers have a similar API to serviceworkers.
CORS Header Proxy - Cloudflare Workers Docs
Add necessary CORS headers to a third party API response
proxying isn't an option due to the resource sizes
Jake, I said that CF workers do not have size and bandwidth limits. You pay for the amount of requests not the bandwidth.
Limits - Cloudflare Workers Docs
Use Cloudflare’s APIs and edge network to build secure, ultra-fast applications.
Proxying isn't a solution to the problem I have. I can't stress that enough.
Ok I understand. You said as a response to another question that your problem was one of cost and not of technical feasibility so I thought I'll mention an option where the price is minimal for your use case. I agree tho that having CORS in the first place is better than proxying
(and also maintenance of adding a server to a project that otherwise wouldn't need one, and not needing one was kinda the point)
bundling app in custom electron with CORS disabled? 😇 hey, at least I didn't said "proxy" 😂😇
chrome extension for adding cors headers on responses? 🤔…
Yea, I can see that asking users to install an extension (or an electron app!) to use your web app is a good solution :).
sure it is an awful (working) solution, what alternative solutions do you propose?
can you implement it as a WebExtension? Those can get extra permission (from the user) on install to get around CORS
Annoying comment: Cloudflare workers. No bandwidth cost. $5 a month.
Annoying for two reasons: 1️⃣ A proxy isn't the answer to the problem I have. 2️⃣ You're not even the first in the thread to suggest Cloudflare workers.
Well bummer, was hoping your side project would work out.
Surely I'm not adding any value but would a load balancer help? It is considered proxy too? I'm not sure
hey Jake! I don't know if you've thought about this, or maybe even know if the technology exists! what you do is set up a server, hit the API from there, then send it to your webapp from your server so cors isn't an issue! it's called "proxying". 😁
resource size/bandwidth can be an issue, though, so good thing that's not a problem in this case. and since you have a server set up for the project anyway, it should be easy enough to implement.