Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update fork #2

Merged
merged 28 commits into from
May 26, 2022
Merged

Update fork #2

merged 28 commits into from
May 26, 2022

Conversation

DiegoFleitas
Copy link
Owner

No description provided.

Rob--W and others added 28 commits May 2, 2020 16:45
@Rob--W
Extend supported Node.js from <=9 to <=14
7222fce
@Rob--W
test-memory: destroy response to free socket
20d5d04 
Starting from Node 12, the test started to fail because of
intermittent socket errors, such as ECONNRESET and "socket hang up".

Destroying the response before triggering a new request resolves it.
@Rob--W
Explicit early out for invalid URLs
4ddb796
@Rob--W
Version 0.4.2
a214003 
- Reject invalid URLs earlier instead of trying to continue with the
  request (and failing anyway).
- Explicitly close the response when an error occurs for Node 13+.
- Update tests to cover up to Node 14 (was up to 9).
@Rob--W
Update test expectation for Node 12.x
001fbef
@Rob--W
test-memory: fix test by passing --max-http-header-size
2579fb6 
The test broke because Node lowered the maximum header size to defend
against large headers ( CVE-2018-12121 ).

In the test, we do actually want to pass large headers, because all
processing in CORS Anywhere is based on headers (the request body would
just be forwarded to the destination server).

The test failed intermittently with ECONNRESET or "socket hang up"
because the server (under test) would close the socket upon receiving
a request with too large request headers.
@Rob--W
Pass --max-http-header-size in supported versions only
0a3b8e9
@Rob--W
Reject invalid redirects
a9e06a9 
Fixes Rob--W#234.
@Rob--W
Version 0.4.3
a0309e6 
- Reject invalid URLs in redirects (fixes regression from 0.4.2) (Rob--W#234)
- Update memory tests for recent Node versions.
@bulk88
only send Access-Control-Max-Age if preflight request, not POST/GET
b3a13b0 
-Access-Control-Max-Age header only has meaning for preflights, not
 POST or GET, saves wire bytes by excluding it from POST/GET/etc,
 and future problems if ACMA on a content HTTP method is given
 meaning by W3C or a browser vendor

-fix expectNoHeader() test helper func ,this was a no-op before by
 accident and would NEVER fail,
 supertest/test.js:Test.prototype._assertFunction requires an retval of
 class type Error if test fail, not a string or a number or Object
@Rob--W
Merge pull request Rob--W#277 from bulk88/no_AC_max_age_header_on_get…
3bab870 
…_post_meth

only send Access-Control-Max-Age if preflight request, not POST/GET
@bulk88
remove Heroku specific Req headers from being sent to Origin
7271e29 
-saves bytes, and avoids triggering IDS/WAF alarms since browser finger
 printing will prove these headers are unnatural and on SSL must be a MITM
 attack

-leave x-forwarded-* intact since they can be used to block CORS proxy
 abuse if the not-CORS origin webmaster really has to block the proxy
 and they are not unique to Heroku platform
@Rob--W
Merge pull request Rob--W#278 from bulk88/no_heroku_headers_to_origin
c8a2091 
remove Heroku specific Req headers from being sent to Origin
@Rob--W
Remove obsolete values from server.js's removeHeaders
528ad71 
`X-Heroku-Dynos-In-Use`, `X-Heroku-Queue-Depth` and
`X-Heroku-Queue-Wait-Time` have already been dropped in 2013:
https://devcenter.heroku.com/changelog-items/218
@Rob--W
Add handleInitialRequest option to support Rob--W#301
9f1af82 
The custom filtering logic is not part of the public repository, to
keep the project clean.
@Rob--W
Expand handleInitialRequest documentation Rob--W#335
4c18680
@Rob--W
Add note about availability of public demo server
1bd9528 
Referencing Rob--W#301
@Rob--W
Update gTLD list
94a325b
@Rob--W
Version 0.4.4
d10efb1 
- Omit unnecessary `Access-Control-Max-Age` (Rob--W#277)
- Remove more Heroku-specific headers (Rob--W#278)
- Add `handleInitialRequest` option (Rob--W#335)
- Document access requirements for public demo (Rob--W#301)
- Update gTLD list
@Rob--W
Support NODE_TLS_REJECT_UNAUTHORIZED=0 to ignore client errors Rob--W…
3c87a51 
…#341

Apparently `NODE_TLS_REJECT_UNAUTHORIZED` is only effective if
`rejectUnauthorized` was not overridden by the code:
https://github.com/nodejs/node/blob/85e6089c4db4da23dd88358fe0a12edefcd411f2/lib/_tls_wrap.js#L1583-L1591

But the underlying library does override it:
https://github.com/http-party/node-http-proxy/blob/v1.11.1/lib/http-proxy/common.js#L53-L55

Fix this by overriding the option via the library's "secure" option.
@Rob--W
Fix test expectation for old node
a9143e7
@Rob--W
Migrate travis-ci from .org to .com
d33bd64
@Rob--W
Add Node 15.x to Travis
207e1e9
@Rob--W
Show "400 Missing slash" when needed Rob--W#238
34ec83b
@Rob--W
Add LICENSE file based on README.md Rob--W#297
02f0cbd
@callmenoodles
Fix typo
c84078b
@Rob--W
Merge pull request Rob--W#376 from alex-lushiku/patch-1
70aaa22 
Fix typo
@DiegoFleitas
Merge branch 'master' of https://github.com/Rob--W/cors-anywhere into…
afb9bd2 
… update-fork
@DiegoFleitas DiegoFleitas merged commit 7b465bf into master May 26, 2022
@DiegoFleitas DiegoFleitas deleted the update-fork branch May 26, 2022 01:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@DiegoFleitas @Rob--W @bulk88 @callmenoodles