A simple JavaScript CORS solution using hidden iframe proxy. Make cross-origin requests without server configuration—just add a port.html on the target domain.
corsport.fetch() instead of fetch()Your App → corsport.fetch(url) → Hidden iframe → Same-origin fetch() → Response
CORSPort creates a hidden iframe on the target domain that performs same-origin requests (bypassing CORS).
npm install corsport
Or via CDN:
<script type="module">
import * as corsport from 'https://unpkg.com/corsport/dist/corsport.min.js';
</script>
port.htmlnpx corsport init
Upload the generated port.html to your target domain.
import * as corsport from 'corsport';
// Configure once
await corsport.configure({
portUrl: 'https://api.example.com/port.html',
});
// Use corsport.fetch() for cross-origin requests
const response = await corsport.fetch('https://api.example.com/users');
const data = await response.json();
corsport.configure(config)await corsport.configure({
portUrl: string, // Required: URL of port.html
timeout?: number, // Optional: Request timeout (default: 30000)
debug?: boolean // Optional: Enable logging (default: false)
});
corsport.fetch(url, options)Same API as native fetch():
// GET
const response = await corsport.fetch('https://api.example.com/users');
// POST
const response = await corsport.fetch('https://api.example.com/users', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ name: 'John' }),
});
// With authorization
const response = await corsport.fetch('https://api.example.com/data', {
headers: { Authorization: 'Bearer token' },
});
CORSPort has passed comprehensive security auditing:
📄 View Full Security Audit Report
Configure port.html security settings:
const CONFIG = {
allowedOrigins: ['https://your-app.com'], // Required
allowedPaths: ['/api/'], // Optional
maxBodySize: 10 * 1024 * 1024, // 10MB
debug: false, // Set to false in production
};
Best Practices:
allowedOrigins (never use ['*'] in production)allowedPaths to specific endpointsmaxBodySizeSecurity Features:
pnpm install
pnpm dev
Open http://localhost:8080/demo/app/
MIT - see LICENSE file
pnpm check && pnpm formatFull documentation: GitHub
FAQs
A pure JavaScript CORS alternative using iframe proxy
We found that corsport demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.