Rob--W/cors-anywhere

Whitelisting subdomain doesn't work as expected

sibsfinx opened this issue · 0 comments

sibsfinx commented

I'm running cors-anywhere via pm2:

CORSANYWHERE_WHITELIST=https://www.test.mydomain.com/,https://www.mydomain.com/ PORT=8080 pm2 start server.js --name cors-anywhere

when trying to reach it from a subdomain, I get 403:

const r = await fetch("https://cors.mydomain.com/https://some-iframe-url.io/", {
  "headers": {
      "origin": "https://www.test.mydomain.com/",
  }
});

// fails with 403
// The origin "https://www.gamma.vectary.com" was not whitelisted by the operator of this proxy.

But when doing the same from a 2nd level domain, it's all good

const r = await fetch("https://cors.mydomain.com/https://some-iframe-url.io/", {
  "headers": {
      "origin": "https://www.mydomain.com/",
  }
});

// 200 OK

Am I missing anything?