Target restriction

[davidhoksza]

The server can now take a list of target servers (in the form of both whitelist and blacklist) it can serve.

[coveralls]

Coverage remained the same at 100.0% when pulling b95554a on davidhoksza:target-restriction into 2ee3147 on Rob--W:master.

[coveralls]

Coverage remained the same at 100.0% when pulling 5b1f7b6 on davidhoksza:target-restriction into 2ee3147 on Rob--W:master.

[Rob--W]

Please undo the removal of every two spaces at the end ( ). These are necessary to force a line break. After your line the Example: ... is not on a separate line any more.

[Rob--W]

This check can be bypassed if the whitelisted target site has an open redirect. A better place to enforce this is in the proxyRequest function.

Locally I started with something like this (many months ago), but I never got to finish the implementation.

 function proxyRequest(req, res, proxy) {
   var location = req.corsAnywhereRequestState.location;
+  // TODO: Add something like this?
+  // For https://github.com/Rob--W/cors-anywhere/issues/67
+  if (req.corsAnywhereRequestState.checkRequestAllowed &&
+      !req.corsAnywhereRequestState.checkRequestAllowed(location)) {
+      res.writeHead(403, 'Forbidden', withCORS({}, req));
+      res.end('The requested resource was blocked by the operator of this proxy.');
+    return;
+  }

The idea behind this is that the validator can be as flexible as anyone wants to, with some default implementation in server.js that simply looks at the environment variables and the prefix (like you're doing right now).

Matching by prefix is the simplest, but is it sufficient for most use cases? I recall another bug that wanted to match by "file extension".

[Rob--W]

Also add tests where the request to a whitelisted target is redirected. One test for redirection to a whitelisted target, and another test for redirection to a blacklisted target.