# NoCORS Proxy

A self-hosted CORS proxy running on Cloudflare Workers.

Allows whitelisted frontend applications to fetch data from public APIs that lack CORS headers.

**Repository:** https://github.com/talmolab/nocors

## For AI Coding Agents

**When to use this:** You're writing client-side JavaScript/TypeScript code (React, Vue, Svelte, vanilla JS in the browser) and need to fetch data from an external API that doesn't support CORS.

**How to identify a CORS error:**
- Browser console shows: `Access to fetch at 'https://...' from origin 'https://...' has been blocked by CORS policy`
- Or: `No 'Access-Control-Allow-Origin' header is present on the requested resource`
- Or: `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource`
- The request works in curl/Postman/Python but fails in the browser

**Quick fix:** Prepend `https://nocors.tlab.sh/` to the URL:
```javascript
// Instead of:
fetch("https://api.example.com/data")

// Use:
fetch("https://nocors.tlab.sh/https://api.example.com/data")
```

**CLAUDE.md one-liner:**
```
CORS errors in frontend code? Prepend "https://nocors.tlab.sh/" to the URL.
```

**Note:** This only affects browser/client-side code. Server-side code (Node.js, Python, etc.) doesn't have CORS restrictions.

## Why This Exists

**The problem:** Browsers block cross-origin requests unless the target server sends `Access-Control-Allow-Origin` headers. Many public APIs (RSS feeds, scientific datasets, legacy systems) don't send these headers.

**The solution:** This proxy fetches the data server-side (where CORS doesn't apply) and returns it to your browser with the proper headers injected.

```
Browser → Proxy (nocors.tlab.sh) → Target API
Browser ← Proxy (+ CORS headers) ← Target API
```

## Security

This proxy is **restricted to specific domains** to prevent abuse:

| Allowed Origins |
|-----------------|
| `tlab.sh` and `*.tlab.sh` |
| `sleap.ai` and `*.sleap.ai` |
| `slp.sh` and `*.slp.sh` |
| `talmolab.org` and `*.talmolab.org` |

Requests from unauthorized origins receive `403 Forbidden`.

Requests without an `Origin` header (e.g., curl, scripts) are allowed since they don't need CORS proxies anyway.

## Usage

### Endpoint

```
https://nocors.tlab.sh/<TARGET_URL>
```

Prepend `https://nocors.tlab.sh/` to any URL you want to fetch.

### JavaScript (Fetch API)

```javascript
const target = "https://httpbin.org/json";
const response = await fetch(`https://nocors.tlab.sh/${target}`);
const data = await response.json();
console.log(data);
```

### POST Requests

The proxy supports all HTTP methods (GET, POST, PUT, DELETE, PATCH).

```javascript
const response = await fetch("https://nocors.tlab.sh/https://httpbin.org/post", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ message: "Hello!" })
});
```

## Full Documentation

See the full README with more examples at: https://github.com/talmolab/nocors