Private CORS Proxy for Paid Users?

We all know the “Security Issues” of browser based tools. But frankly speaking, one of the most annoying things to use Observable is the “CORS” errors!

I am using my own authorization tokens and keys, it’s not insecure! It’s just some restrictions of the service providers. I can ask them to stop restrict them but not always they would listen to me. The same API would work perfectly on Python-based Notebooks! (Like Google Colab)

I have spend endless errors to bypass the CORS things again and again, and there are some CORS proxies that works but not stable. I’ve seen Observable trying to let us trigger scheduled notebooks. That’s a nice try. It means you guys are using self-host servers to help us, but with the CORS restricts, the browser based notebooks still lacks a lot than Python notebooks.

There could some abuse issues. But it is easy to find out whether is normal use, easily by restricting bandwidths, quotas or domains etc. And It will really help us.

Thanks for the fantastic work in Observable! Please consider to solve this problem and it will be so perfect.

2 Likes

This is purely a Javascript in the web browser security issue. If you write your own plain web page with a call to fetch in vanilla Javascript, you’ll run into the same issue. Thus, this really has nothing to do with Observable. Even if there is some magic fix, the responsibility of dealing with CORS correctly should probably lie with the programmer making the requests.

First-party cors proxy would be excellent! Even StackBlitz is dragging their feet on adding this somehow (even more fundamental for them). There have been a few community run proxy servers pinning to observable notebook domains, and of course you can setup a personal one that would only proxy traffic from your personal / team observable notebook domains. But frustrating web infra providers like observable / stack blitz haven’t done their part to complete the functionality of their runtime by remediating the poor design of CORS on the web. My guess is they are worried about liability of traffic originating from the proxy to external sites, but they could probably just host it off the per-user domains anyway and if any issues arise the feature can be turned-off on a per user or per-team basis. And it can be a paid-only offering.