惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
Stack Overflow Blog
Stack Overflow Blog
H
Help Net Security
Microsoft Azure Blog
Microsoft Azure Blog
The GitHub Blog
The GitHub Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Recorded Future
Recorded Future
Y
Y Combinator Blog
Cloudbric
Cloudbric
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
Cybersecurity and Infrastructure Security Agency CISA
TaoSecurity Blog
TaoSecurity Blog
Security Latest
Security Latest
N
News and Events Feed by Topic
Hacker News - Newest:
Hacker News - Newest: "LLM"
D
DataBreaches.Net
Security Archives - TechRepublic
Security Archives - TechRepublic
H
Hacker News: Front Page
C
Cisco Blogs
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
Recent Commits to openclaw:main
Recent Commits to openclaw:main
V
Vulnerabilities – Threatpost
L
LINUX DO - 最新话题
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
A
About on SuperTechFans
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Jina AI
Jina AI
C
CXSECURITY Database RSS Feed - CXSecurity.com
Schneier on Security
Schneier on Security
T
Tenable Blog
N
News and Events Feed by Topic
W
WeLiveSecurity
有赞技术团队
有赞技术团队
AI
AI
爱范儿
爱范儿
大猫的无限游戏
大猫的无限游戏
Latest news
Latest news
T
The Blog of Author Tim Ferriss
S
Security Affairs
Know Your Adversary
Know Your Adversary
Simon Willison's Weblog
Simon Willison's Weblog
G
GRAHAM CLULEY
Google DeepMind News
Google DeepMind News
The Cloudflare Blog

StackBlitz Blog

Cloudflare is now backing pkg.pr.new’s data infrastructure! Bolt 100K Open Source Fund ViteConf 2024 was a blast Unbundling the JavaScript ecosystem StackBlitz is joining the Open Source Pledge Announcing TutorialKit: Interactive tutorials in the browser Get ready for ViteConf 2024 Announcing pkg.pr.new StackBlitz welcomes Ari Perkkiö, core team member of Vitest Catch us at Figma Config WebContainers and the future of web dev (interview with Jòan Varvenne) Open Source at StackBlitz How to document design system components What is Vite (and why is it so popular)? Improving the developer experience of enterprise design systems Flow state: Why fragmented thinking is worse than any interruption What is Storybook? An Overview for Developers The Self-Rendering Eval Shirt Starters Upgrade: WebContainers and Vite Putting the Dev in Figma’s Dev Mode Announcing StackBlitz Self-hosted Building Together in Illinois 5 lessons design systems teams can learn from open-source maintainers Announcing Native Language Support in WebContainers Introducing StackBlitz Teams ViteConf is back! Bringing Sharp to WebAssembly and WebContainers npm, yarn and pnpm are now supported natively in WebContainers The Atomic Waltz: Unraveling WebAssembly Issues in V8 and SpiderMonkey WebContainers now run on Safari, iOS, and iPadOS Now I am become the Destroyer of Threads WebContainer API is here. StackBlitz September 2022 Update StackBlitz August 2022 Update StackBlitz July 2022 Update Introducing: Collections and Social Previews! Down the caching-hole: adventures in Announcing ViteConf StackBlitz June 2022 Update The Fox and the Bolt: Bringing WebContainers to Firefox WebContainers are now supported in Firefox on desktop and Android StackBlitz May 2022 Update StackBlitz April 2022 Update Cloudflare and StackBlitz partner to bring Cloudflare Workers to your browser Powering over 2M developers a month, StackBlitz has raised $7.9M StackBlitz March 2022 Update Announcement: WebContainers are out of beta in Chromium StackBlitz has joined the Bytecode Alliance StackBlitz February 2022 Update Bringing WebContainers to all Browsers: a call to action for COEP Credentialless Cross-Browser support with Cross-Origin isolation StackBlitz welcomes Patak, core maintainer of Vite Chasing Memory Bugs through V8 and WebAssembly Remix v1 has landed, and it runs on WebContainers SvelteKit is now fully supported in WebContainers We Shopify partners with StackBlitz to bring Hydrogen development in-browser StackBlitz September 2021 Update Introducing Vite.new Templates! Announcing WebContainers Astro support! 🛰 Introducing: SQLite3 support in WebContainers! 🧪 StackBlitz July 2021 Update StackBlitz June 2021 Update Introducing WebContainers: Run Node.js natively in your browser Interactive Docs: The new norm for Remote Work
Avoiding CORS issues with this one simple trick
Thom Barlow Engineer at StackBlitz. Smashing bits into each othe · 2024-05-07 · via StackBlitz Blog

Bringing development environments to the browser has a lot of benefits. You can make use of built-in browser developer tools to natively debug your code. You can share them with a link and trust they’ll behave the same way across devices. You can even avoid supply chain attacks by running code within the secure browser sandbox.

There are, of course, tradeoffs with these benefits. For one, making requests to external services means grappling with Cross-Origin Resource Sharing, or CORS.

Until now.

We’re excited to share the general availability of the CORS Proxy in StackBlitz. With this release, users with a StackBlitz subscription can easily work with external services and APIs like Firebase, Auth0, and more.

In this post, we’ll talk a bit about what CORS is and the unique challenges it introduces when making requests from within the browser sandbox.

A brief history of CORS

In the beginning¹, we had the same-origin policy. The same-origin policy prevents scripts from accessing resources in other webpages if they are from different origins² preventing malicious scripts from reading your cookies and POSTing transactions to your bank.

“But wait!” said developers, “Sometimes we want to use scripts to access resources from other origins. We have this thing called AJAX now and we want to use it to pull our XML data from other servers!” they continued, not realising how absurd using XML for this would seem in a few years.

After some grumbling (and an existing implementation already in the wild), W3C and some browser vendors came up with the “Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0” specification³. Quickly realising this was an unwieldy name, they changed it to “Cross-Origin Resource Sharing” and CORS was born.

The premise was this: you specify which other origins are allowed to request resources from you. This ensures that resources are secure by default, and you have to opt-in and say who you want to give access to for each resource. Resources can be (willingly) shared, and everyone was happy⁴.

1 Ok, it was really in 1996

2 An origin is comprised of a scheme, host, and port: https://example.com:80

3 In an alternative timeline, we would be allowing CORS requests with XML declarations: <?access-control allow="www.example.com"?>

4 Just kidding. The limitations of CORS remain a frustration to web developers to this day. They even had to add the dreaded “Preflight request” that everyone hates having to support, to ensure that legacy servers that do not implement CORS are correctly ignored.

CORS Flowchart

Image credit: @forrestbrazeal ( Original )

What this means for StackBlitz

When developing local services that talk to each other outside a browser, be it HTTP or raw sockets or otherwise, you don’t have to worry about CORS. Indeed, a node-based HTTP client can request resources from anywhere, even if the origin it comes from is not explicitly allowed by CORS.

This poses a problem when you try and bring that local development into the browser: you can only connect to hosts on your local network and are isolated from the rest of the web, unless some external site specifically allows you to make CORS requests there.

This makes things as trivial as curl google.com fail. Sometimes libraries want to load assets that wouldn’t normally need CORS permission, so it’s never set for it and fails. Lots of different use cases are suddenly off limits.

a flowchart showing how CORS proxy requests are handled

The Workaround

So how can we fix this? Easy! We create a service that lives outside of the browser that acts like a proxy to make the requests for us!

In WebContainers, if we detect a request is being made to an external host, we instead redirect this to a proxy which has no CORS restrictions whatsoever. After making the request, the CORS proxy will respond with the response it receives from the request, along with some metadata used to reconstruct the response fully.

Now we can request anything and there’s nothing your browser can do about it!

a flowchart showing how StackBlitz's CORS proxy handles requests

The Details

If you’re interested in how it works:

When a CORS proxy request is made in WebContainers, the hostname of the target URL is replaced with the CORS proxy address, leaving the path and query params intact.

Some additional headers are added to the request:

X-StackBlitz-Host: Contains the original replaced host. Used to reconstruct the original URL.

X-StackBlitz-Origin: Contains the origin host. Used to verify the origin of the request.

X-StackBlitz-User-Agent: Contains the user agent to be forwarded. Specified as a header as the browser ignores it otherwise.

If the origin is valid, the proxy makes the requests and responds with the result.

Passing the User Agent allows us to actually modify it, as browsers normally drop the regular User-Agent header in requests.

Try it out

If the CORS proxy has been enabled on a project you’re viewing by the project owner, no subscription is required to use it! Here’s an example you can try.

To enable the CORS proxy in your StackBlitz account, you’ll first need to ensure you have a Personal+ or are a member of a team with an active Teams subscription. You can start a free, 14-day trial of StackBlitz Teams or use the code CORSPROXY for 1 free month of Personal+.

Once you have upgraded your account, if you create a .stackblitzrc file in the root of your project with the following content:

{
  "corsProxy": true
}

This will enable the CORS Proxy!