merge upstream #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
to unlock goodies such as --inspect / --inspect-brk
When proxyReq is aborted (by us - in response to a redirect response), it can ultimately trigger an "error" event of type ECONNRESET. This error was unconditionally propagated to the error handler: https://github.com/nodejitsu/node-http-proxy/blob/v1.11.1/lib/http-proxy/passes/web-incoming.js#L134-L140 Our proxy error handler responds by writing a response + error code, which prevents the response from being overwritten. I found this after upgrading the nock library to 5.2.1+, which contains nock/nock@510e31c The redirect tests that were previously passing in Node 0.10.x were failing, with errors like "Can't set headers after they are sent.". The new implementation makes sure that the proxied response is not forwarded to the original response.
The most recent version that was explicitly marked as compatible with Node.js 0.10.x
This communicates more clearly for which versions of Node.js the tests have run. 8 is not listed because tests are failing due to the nock HTTP mocking library being incompatible with Node v8.
Locally Node v7 and v8 also have higher memory expectations, so just use the same maximum memory value for v0.x and non-v0.x.
…th this value (in seconds) will be added.
Set corsAnywhereRequestState before calling withCORS and use the state instead of a parameter to get corsMaxAge.
Allow caching of CORS headers by setting Access-Control-Max-Age header
NPM 5.5.1 is not compatible with Node.js 9.1.0. Let's use the npm that ships with node.
Locally tested that the tests pass with Node 9.0.0 and 9.1.0 Also modified a test expectation for Node 9.0.0+
Travis build failed on "Uncaught TypeError: Object.keys called on non-object". That's a real error (res._headers was initially null until a header is set).
- Add ability to rate-limit/block requests by origin (Rob--W#45). - Avoid crashing on invalid HTTP status codes (Rob--W#95). - Support and test coverage for latest Node.js versions (up to 9). - Support `Access-Control-Max-Age` via `corsMaxAge` option. - Listen on `0.0.0.0:8080` by default instead of `127.0.0.1:8080`. (use `HOST` and `PORT` environment variables to override this). - Update gTLD list.
Starting from Node 12, the test started to fail because of intermittent socket errors, such as ECONNRESET and "socket hang up". Destroying the response before triggering a new request resolves it.
- Reject invalid URLs earlier instead of trying to continue with the request (and failing anyway). - Explicitly close the response when an error occurs for Node 13+. - Update tests to cover up to Node 14 (was up to 9).
The test broke because Node lowered the maximum header size to defend against large headers ( CVE-2018-12121 ). In the test, we do actually want to pass large headers, because all processing in CORS Anywhere is based on headers (the request body would just be forwarded to the destination server). The test failed intermittently with ECONNRESET or "socket hang up" because the server (under test) would close the socket upon receiving a request with too large request headers.
- Reject invalid URLs in redirects (fixes regression from 0.4.2) (Rob--W#234) - Update memory tests for recent Node versions.
-Access-Control-Max-Age header only has meaning for preflights, not POST or GET, saves wire bytes by excluding it from POST/GET/etc, and future problems if ACMA on a content HTTP method is given meaning by W3C or a browser vendor -fix expectNoHeader() test helper func ,this was a no-op before by accident and would NEVER fail, supertest/test.js:Test.prototype._assertFunction requires an retval of class type Error if test fail, not a string or a number or Object
…_post_meth only send Access-Control-Max-Age if preflight request, not POST/GET
-saves bytes, and avoids triggering IDS/WAF alarms since browser finger printing will prove these headers are unnatural and on SSL must be a MITM attack -leave x-forwarded-* intact since they can be used to block CORS proxy abuse if the not-CORS origin webmaster really has to block the proxy and they are not unique to Heroku platform
remove Heroku specific Req headers from being sent to Origin
`X-Heroku-Dynos-In-Use`, `X-Heroku-Queue-Depth` and `X-Heroku-Queue-Wait-Time` have already been dropped in 2013: https://devcenter.heroku.com/changelog-items/218
The custom filtering logic is not part of the public repository, to keep the project clean.
- Omit unnecessary `Access-Control-Max-Age` (Rob--W#277) - Remove more Heroku-specific headers (Rob--W#278) - Add `handleInitialRequest` option (Rob--W#335) - Document access requirements for public demo (Rob--W#301) - Update gTLD list
…#341 Apparently `NODE_TLS_REJECT_UNAUTHORIZED` is only effective if `rejectUnauthorized` was not overridden by the code: https://github.com/nodejs/node/blob/85e6089c4db4da23dd88358fe0a12edefcd411f2/lib/_tls_wrap.js#L1583-L1591 But the underlying library does override it: https://github.com/http-party/node-http-proxy/blob/v1.11.1/lib/http-proxy/common.js#L53-L55 Fix this by overriding the option via the library's "secure" option.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🧰 Changes
🧬 QA & Testing
none