-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to whitelist my local app? #306
Comments
Yes. CORS Anywhere is a proxy designed to allow web applications in web browsers to access resources from URLs that do not support CORS. Validation is solely based on request headers (
Generally not. But there may be alternatives. In order, from best to worst:
|
OK thanks for that. So it sounds like there is no way—or no easy way—to whitelist only my local app. Would you agree with that? I’m not upset or trying to call you out or anything—I just want to make sure I’m understanding the situation so I can take the next step. This is just a non-critical My First App side project of mine, so I’m mainly interested in learning best practice so I can apply it to future projects. As far as your four suggestions:
Thanks. |
If you want to host the server on the public internet, then it is indeed not possible to whitelist only your "local app", because your local app is indistinguishable from other "local apps" on other computers, because all of these "local apps" have a common origin that's exposed through the Origin request header. Given your constraints, option 2 sounds like the best option, followed by option 3. |
OK thanks for that explanation--it makes everything clear. I'll go with my browser extension then. |
Hello. I have setup a clone of this app and deployed it to Heroku. Your instructions indicate that I should now whitelist only the app that needs to connect to my Heroku cors-anywhere app. As I understand, to do this, I need to set an environmental variable (aka a Heroku config var) with the key
CORSANYWHERE_WHITELIST
, and a value. But what value should I use, given these detailslocalhost:3000
.http://AAA.BBB.CCC.DDD
.2001:0db8:0000:0000:0000:8a2e:0370:7334
.I tried
http://AAA.BBB.CCC.DDD
(with these variations: with/without the port number appended,http/https
), but my local app could not access the Heroku app. It was rejected with a403 Forbidden
error, which I guess is expected if the local app is not properly whitelisted by the Heroku app.If i use the value
http://localhost:3000
, my local app can then access the Heroku app. But doesn't that mean local apps on port 3000, on any computer, can access my Heroku app? If so, how do I restrict access to only the local app on my computer?Thanks.
The text was updated successfully, but these errors were encountered: