Accessing CORS-less resources from notebooks

Continuing the discussion from Suggestion: proxy calls to private-per-user-per-notebook whitelisted urls:

In the meantime has reasonable rate limits, and since a project can have private configuration, but can still be forked easily, it should be a matter of seconds to set up a custom CORS proxy.

I’d be happy to create a template project (I’ve been meaning to do it for a while), but I’d like to know the restrictions that should be applicable:

  • origin: limitable to own notebooks (via origin header; each Observable user has their own worker subdomain)
  • authenticated: limit by secret (define tokens, to be passed via a header, header is removed before proxying)

It gets a bit more complicated for target paths, with three possible, but very different implementations:

  1. host pass-through: client must provide full path including host. Possible filters: prefix, regex
  2. path pass-through: restricted to a single domain, client must provide path without host. Possible filters: prefix, regex
  3. inventory: fixed mapping of routes to target URLs, where the client can only request a predetermined route. Possible filters: secret

An example for 2. would be this very basic proxy for!/observablehq-api?path=index.js:1:0

Did I cover everything? Or did I miss something?


so-fetch might be something to look into - and the corresponding glitch app. I also made this awhile ago that runs on heroku (fork of original cors-anywhere) that will only tunnel requests coming from a specific user’s notebook. e.g. the example setup only works for asg017's notebooks, so if you fork one of my notebooks that uses this proxy, it’ll not work (but give an error message saying how to create your own proxy).

Neither of these uses Secrets/authentication/extensive rate-limiting, however


@jdbetfair I forgot to ask: Is it alright with you that I repurposed this topic to discuss alternative solutions? Otherwise mine and @asg017’s post can be split out into a new topic.

Hey @mootari, thanks for the info.
Re your question: it would probably be worth separating an ‘alternative solutions’ discussion into a separate thread so this suggestion for an enhancement to Observable can be treated as just that.

@jashkenas Can you please split comment Suggestion: proxy calls to private-per-user-per-notebook whitelisted urls and following comments out into a separate topic, as per previous comment by @jdbetfair? Thanks!


1 Like