Skip to content


Repository files navigation

Fetch Robot

Run fetch() through an iframe proxy to avoid dealing with CORS.

Uses post-robot for frame-to-frame communication.


  • CORS requires server-side changes on each endpoint
  • For non-GET requests, preflight requests must be sent to verify the origin, which affects site-speed
  • Support is limited in older browsers
  • CORS headers only allow a certain degree of granularity


Let's say:

  • I'm on
  • I want to make a request to

In the parent window

<script src=""></script>

    // Create a proxy instance and open the iframe

    let proxy = fetchRobot.connect({ url: '' });

    // Use `proxy.fetch` in the same way as `fetch`

    proxy.fetch('', { method: 'POST' })
        .then(response => response.text())

In the child window

<!-- Add a fetch polyfill for older browsers -->
<script src=""></script>
<script src=""></script>

    // Enable requests to be passed through the current frame using fetchRobot


        allow: [
                path: [

                headers: [

                origin: '',

                path: [

                headers: [

                credentials: 'include'


Pass one or more rules in allow.

  • If any of the rules pass for a given request, the request will be allowed through.
  • If no rules pass, the request will error out

Each option in a rule can be one of:

  • string (e.g. origin: '')
  • array (e.g. origin: [ '', '' ])
  • regex (e.g. origin: new RegExp('https://(foo|bar)\.com'))
  • wildcard (e.g. origin: '*')

Available options

  • origin - The domain(s) from which the request can be sent
    • default: '*'
  • domain - The domain(s) to which the request can be sent
    • default: domain where fetchRobot.serve() was called
  • path - The path(s) to which requests can be sent
    • default: []
  • query - The query param(s) which can be sent with the request
    • default: '*'
  • credentials - The credential level which can be sent with requests
    • default: [ 'omit' ]
  • method - The method(s) with which requests can be sent
    • default: [ 'get', 'head', 'post', 'put', 'delete', 'connect', 'options', 'trace', 'patch' ]
  • headers - The headers(s) which can be sent with the request
    • default: [ 'accept', 'accept-language', 'content-language', 'content-type' ]
  • responseHeaders - The header(s) which can be sent with the response
    • default: [ 'cache-control', 'content-language', 'content-type', 'expires', 'last-modified', 'pragma' ]

Quick Start

Getting Started

  • Run setup: ./
  • Start editing code in ./src and writing tests in ./tests
  • gulp build


npm run build


  • Edit tests in ./test/tests

  • Run the tests:

    gulp test

Testing with different/multiple browsers

npm run karma -- --browser=PhantomJS
npm run karma -- --browser=Chrome
npm run karma -- --browser=Safari
npm run karma -- --browser=Firefox
npm run karma -- --browser=PhantomJS,Chrome,Safari,Firefox

Keeping the browser open after tests

npm run karma -- --browser=Chrome --keep-browser-open


  • Publish your code: ./