add targetHostWhitelist

Rob--W · May 6, 2021 · 62a3cc7 · 62a3cc7
1 parent 36d99cb
commit 62a3cc7
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
@@ -261,6 +261,7 @@ function getHandler(options, proxy) {
     maxRedirects: 5,                // Maximum number of redirects to be followed.
     originBlacklist: [],            // Requests from these origins will be blocked.
     originWhitelist: [],            // If non-empty, requests not from an origin in this list will be blocked.
+    targetHostWhitelist: [],        // If non-empty, requests not to a host in this list will be blocked.
     checkRateLimit: null,           // Function that may enforce a rate-limit by returning a non-empty string.
     redirectSameOrigin: false,      // Redirect the client to the requested URL for same-origin requests.
     requireHeader: null,            // Require a header to be set?
@@ -371,6 +372,13 @@ function getHandler(options, proxy) {
       return;
     }
 
+    var targetHost = location.host;
+    if (corsAnywhere.targetHostWhitelist.length && corsAnywhere.targetHostWhitelist.indexOf(targetHost) === -1) {
+      res.writeHead(403, 'Forbidden', cors_headers);
+      res.end('The host "' + targetHost + '" was not whitelisted by the operator of this proxy.');
+      return;
+    }
+
     var rateLimitMessage = corsAnywhere.checkRateLimit && corsAnywhere.checkRateLimit(origin);
     if (rateLimitMessage) {
       res.writeHead(429, 'Too Many Requests', cors_headers);

diff --git a/server.js b/server.js
@@ -9,6 +9,7 @@ var port = process.env.PORT || 8080;
 // use originWhitelist instead.
 var originBlacklist = parseEnvList(process.env.CORSANYWHERE_BLACKLIST);
 var originWhitelist = parseEnvList(process.env.CORSANYWHERE_WHITELIST);
+var targetHostWhitelist = parseEnvList(process.env.CORSANYWHERE_TARGETHOST_WHITELIST);
 function parseEnvList(env) {
   if (!env) {
     return [];
@@ -23,6 +24,7 @@ var cors_proxy = require('./lib/cors-anywhere');
 cors_proxy.createServer({
   originBlacklist: originBlacklist,
   originWhitelist: originWhitelist,
+  targetHostWhitelist: targetHostWhitelist,
   requireHeader: [],//['origin', 'x-requested-with'],
   checkRateLimit: checkRateLimit,
   removeHeaders: [