Published 2021-03-20. Last modified 2022-12-13.
Time to read: 5 minutes.

This page is part of the posts collection, categorized under JavaScript, Python, SSL.

Many have tried to explain CORS, but most have not provided a clear explanation. I am going to try, then I will refer to explanations by others, who also provide examples.

Origin and Origin Server

A website is delivered to web browsers from an origin server, or origin for short. The origin server is principally responsible for generating web pages.

An origin is a combination of 3 things:

1. A scheme (http, https, etc.)
2. A (sub)domain, for example localhost, blah.com or assets.blah.com.
3. A port, for example 80, 443, 8000, etc.

All three things must match in order for two URLs to be considered to be from the same origin. For example:

URL 1	URL 2	Same Origin?
http://blah.com	https://blah.com	No
https://blah.com	https://assets.blah.com	No
https://blah.com	https://blah.com/path/page.html	Yes

Content Servers

In this article, I use the term content server to refer to sources of online information other than the origin server. Resources referenced by a web page, such as images, JavaScript, CSS, and data might be provided by the origin server, or they might come from a content server.

Because every server has by definition a different origin, content servers always have a different origin than the origin server. Static resources (resources that do not change) are often served by content delivery networks (CDNs), which are also content servers.

The Cross-Origin Resource Sharing (CORS) standard controls if a web page can load resources from content servers. Content servers are in charge of their content; they decide which origin servers they wish to co-operate with. When CORS support is properly configured, content servers include HTTP headers into their responses that tell a web browser if those resources may be read by the web page being constructed.

Proxy servers incorporate content from other servers into their output. The content from proxied sites are incorporated into proxy server’s output.

Here is a more detailed set of definitions:

A proxy is a person or process serving as an authorized agent or substitute for another. In computer science, a more specific term is forward proxy.

A proxy server is a server process that acts as an intermediary between a client requesting a resource, and the process that provides the resource.

A reverse proxy is a process that sits in front of other processes, and forwards client requests to them. The term forwarding process is similar to reverse proxy.

The definitions for proxy, forward proxy and reverse proxy all sound identical. The key difference between a reverse proxy and a forward proxy is that a forward proxy enables computers isolated on a private network to connect to the public internet, while a reverse proxy enables computers on the internet to access a private subnet.

Data is a special type of resource. CORS restricts how data is exchanged between the web page delivered to the web browser from the origin server and content servers. In particular, JSON and XML data communicated to and from content servers requires CORS authorization. Furthermore, requests (from the web browser) that send JSON, XML and other data formats to content servers also require CORS authorization.

Content servers are in charge of their content; they decide which origin servers they wish to co-operate with.

Nginx Proxy Configuration

Nginx is a content server, and an nginx website can configured to allow its content to be proxied by other servers. Other nginx websites could be configured as proxy servers.

CORS headers emitted by the proxied website determine which proxy servers are allowed to consume their content.

For example, imagine a website running at http://localhost:9000. The following configuration that would allow that server’s content to be proxied by any another server. Specifically, the highlighted snippet grants permission to any other server to include the content into their web pages. All of the proxied website’s headers are allowed to be passed through by the proxy server, if it is configured to do so.

Nginx configuration for proxied server on port 9000

server {
  listen 9000;
  listen [::]:9000;

  server_name localhost;

  location / {
    root /var/www/blah/blah;
    index index.html;

    # First attempt to serve request as file, then as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;

    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Headers' '*' always;
  }
}

Continuing our imaginary setup, imagine a publicly accessible proxy server that needs to incorporate the content from the local server on port 9000. The configuration for the proxy server would, at a minimum, require something like the following. This configuration causes the proxied content to be included into the public server’s content.

Nginx proxy server configuration

server {
  listen 80;
  listen [::]:80;
  listen 443 ssl;
  listen [::]:443;

  server_name scalacourses.com www.scalacourses.com;
  ssl_certificate         /home/mslinn/.certbot/scalacourses.com/config/live/scalacourses.com/fullchain.pem;
  ssl_certificate_key     /home/mslinn/.certbot/scalacourses.com/config/live/scalacourses.com/privkey.pem;
  ssl_trusted_certificate /home/mslinn/.certbot/scalacourses.com/config/live/scalacourses.com/chain.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  root /var/www/html;
  index index.html;  # This gets served if the proxied website is down

  location / {
    proxy_pass http://localhost:9000;
  }
}

For further reading, please see my article entitled Using Nginx As a Reverse Proxy With SSL.

Content-Type Header

The Content-Type header is used to indicate the media type of the resource. The old name MIME type has been replaced by media type. Here is a list of media types.

Media types with names that start with application require CORS authentication if they are delivered from content servers, for example application/json and application/javascript.

As well, a few media types with names that start with text require CORS authentication if they are delivered from content servers, for example text/xml and text/xml-external-parsed-entity.

Further Reading

Mariko Kosaka

Mariko Kosaka has written an easy-to-understand article describing CORS, and provides a simple but effective working Express website for demonstration.

The same-origin policy tells the browser to block cross-origin requests. When you want to get a public resource from a different origin, the resource-providing server needs to tell the browser ‘This origin where the request is coming from can access my resource’. The browser remembers that and allows cross-origin resource sharing.

  – Mariko Kosaka

Derric Gilling and MDN

Derric Gilling has written a more in-depth yet very approachable article describing CORS. I've paraphrased his quoting of the Mozilla Developer Network documentation into the following:

CORS is a security mechanism that allows a web page from one domain or Origin to access a resource with a different domain (a cross-domain request). CORS is a relaxation of the same-origin policy implemented in modern browsers. Without features like CORS, websites are restricted to accessing resources from the same origin through what is known as same-origin policy.

Any CORS request has to be preflighted if:

• It uses methods other than GET, HEAD or POST.
• If POST is used to send request data with a Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain. Examples:
  • A POST request sends an XML payload to the server; this requires the Content-Type header is set either to application/xml or text/xml.
  • A website makes an AJAX call that POSTs JSON data to a REST API, this requires the Content-Type header is set to application/json.

  – Derric Gilling
  – Mozilla Developer Network

Preflight Requests

CORS preflight requests effectively double the latency of user requests for CRUD actions. Client-side and server-side caching can help reduce this overhead for many circumstances. In another article I discuss how to use a CDN with multiple origin servers to completely eliminate the need for preflight requests.

For additional background, please see:

• CloudFront reverse proxy API Gateway to prevent CORS by Rehan van der Merwe
• Cache your CORS, for performance & profit by Tim Perry

KeyCDN

KeyCDN has an even more in-depth yet still very approachable article describing CORS.

CORScanner

CORScanner is a popular tool for detecting CORS misconfiguration. It is a Python module that can be executed as a shell command. Install CORScanner like this:

Shell

$ pip install cors

The above adds a new executable called cors in the same directory where your python command resides.

The cors documentation conflates the words URL and origin. Everywhere the word URL appears in the documentation, the word origin should be assumed.

Example: Check Domain

Use the -u option to specify an origin to test:

Shell

$ cors -u api.github.com
Starting CORS scan...
Finished CORS scanning... 

To enable more debug info, use the -v option more than once. We can see that specifying https restricts testing to that scheme.

Shell

$ cors -vv -u https://api.github.com
Starting CORS scan...
2021-03-21 09:55:58 INFO Start checking reflect_origin for https://api.github.com
2021-03-21 09:55:58 INFO nothing found for {url: https://api.github.com, origin: https://evil.com, type: reflect_origin}
2021-03-21 09:55:58 INFO Start checking prefix_match for https://api.github.com
2021-03-21 09:55:58 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com.evil.com, type: prefix_match}
2021-03-21 09:55:58 INFO Start checking suffix_match for https://api.github.com
2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://evilgithub.com, type: suffix_match}
2021-03-21 09:55:59 INFO Start checking trust_null for https://api.github.com
2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: null, type: trust_null}
2021-03-21 09:55:59 INFO Start checking include_match for https://api.github.com
2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://ithub.com, type: include_match}
2021-03-21 09:55:59 INFO Start checking not_escape_dot for https://api.github.com
2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://api.githubacom, type: not_escape_dot}
2021-03-21 09:55:59 INFO Start checking custom_third_parties for https://api.github.com
2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://whatever.github.io, type: custom_third_parties}
2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: http://jsbin.com, type: custom_third_parties}
2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://codepen.io, type: custom_third_parties}
2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://jsfiddle.net, type: custom_third_parties}
2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: http://www.webdevout.net, type: custom_third_parties}
2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://repl.it, type: custom_third_parties}
2021-03-21 09:56:00 INFO Start checking special_characters_bypass for https://api.github.com
2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com_.evil.com, type: special_characters_bypass}
2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com-.evil.com, type: special_characters_bypass}
2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com".evil.com, type: special_characters_bypass}
2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com{.evil.com, type: special_characters_bypass}
2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com}.evil.com, type: special_characters_bypass}
2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass}
2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com^.evil.com, type: special_characters_bypass}
2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%60.evil.com, type: special_characters_bypass}
2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com!.evil.com, type: special_characters_bypass}
2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com~.evil.com, type: special_characters_bypass}
2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com`.evil.com, type: special_characters_bypass}
2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com;.evil.com, type: special_characters_bypass}
2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com|.evil.com, type: special_characters_bypass}
2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com&.evil.com, type: special_characters_bypass}
2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com'.evil.com, type: special_characters_bypass}
2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com(.evil.com, type: special_characters_bypass}
2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com).evil.com, type: special_characters_bypass}
2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com*.evil.com, type: special_characters_bypass}
2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com,.evil.com, type: special_characters_bypass}
2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com$.evil.com, type: special_characters_bypass}
2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com=.evil.com, type: special_characters_bypass}
2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass}
2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%0b.evil.com, type: special_characters_bypass}
2021-03-21 09:56:03 INFO Start checking trust_any_subdomain for https://api.github.com
2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: https://evil.api.github.com, type: trust_any_subdomain}
2021-03-21 09:56:03 INFO Start checking https_trust_http for https://api.github.com
2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: http://api.github.com, type: https_trust_http}
Finished CORS scanning... 

Example: Check Origin

To check CORS misconfigurations of an origin:

Shell

$ cors -vvu https://api.github.com/users/mslinn/repos
Starting CORS scan...
  2021-03-21 10:08:49 INFO Start checking reflect_origin for https://api.github.com
  2021-03-21 10:08:49 INFO nothing found for {url: https://api.github.com, origin: https://evil.com, type: reflect_origin}
  2021-03-21 10:08:49 INFO Start checking prefix_match for https://api.github.com
  2021-03-21 10:08:49 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com.evil.com, type: prefix_match}
  2021-03-21 10:08:49 INFO Start checking suffix_match for https://api.github.com
  2021-03-21 10:08:49 INFO nothing found for {url: https://api.github.com, origin: https://evilgithub.com, type: suffix_match}
  2021-03-21 10:08:49 INFO Start checking trust_null for https://api.github.com
  2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: null, type: trust_null}
  2021-03-21 10:08:50 INFO Start checking include_match for https://api.github.com
  2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://ithub.com, type: include_match}
  2021-03-21 10:08:50 INFO Start checking not_escape_dot for https://api.github.com
  2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://api.githubacom, type: not_escape_dot}
  2021-03-21 10:08:50 INFO Start checking custom_third_parties for https://api.github.com
  2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://whatever.github.io, type: custom_third_parties}
  2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: http://jsbin.com, type: custom_third_parties}
  2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://codepen.io, type: custom_third_parties}
  2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://jsfiddle.net, type: custom_third_parties}
  2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: http://www.webdevout.net, type: custom_third_parties}
  2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://repl.it, type: custom_third_parties}
  2021-03-21 10:08:51 INFO Start checking special_characters_bypass for https://api.github.com
  2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com_.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com-.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com".evil.com, type: special_characters_bypass}
  2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com{.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com}.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com^.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%60.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com!.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com~.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com`.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com;.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com|.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com&.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com'.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com(.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com).evil.com, type: special_characters_bypass}
  2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com*.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com,.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com$.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com=.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:54 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:54 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%0b.evil.com, type: special_characters_bypass}
  2021-03-21 10:08:54 INFO Start checking trust_any_subdomain for https://api.github.com
  2021-03-21 10:08:54 INFO nothing found for {url: https://api.github.com, origin: https://evil.api.github.com, type: trust_any_subdomain}
  2021-03-21 10:08:54 INFO Start checking https_trust_http for https://api.github.com
  2021-03-21 10:08:54 INFO nothing found for {url: https://api.github.com, origin: http://api.github.com, type: https_trust_http}
  Finished CORS scanning... 

If a scheme is not specified, then both http and https are tested:

Shell

$ cors -vvu api.github.com/users/mslinn/repos
Starting CORS scan...
  2021-03-21 10:03:30 INFO Start checking reflect_origin for http://api.github.com
  2021-03-21 10:03:30 INFO Start checking reflect_origin for https://api.github.com
  2021-03-21 10:03:30 INFO nothing found for {url: https://api.github.com, origin: https://evil.com, type: reflect_origin}2021-03-21 10:03:30 INFO Start checking prefix_match for https://api.github.com
  2021-03-21 10:03:30 INFO nothing found for {url: http://api.github.com, origin: http://evil.com, type: reflect_origin}
  2021-03-21 10:03:30 INFO Start checking prefix_match for http://api.github.com
  2021-03-21 10:03:30 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com.evil.com, type: prefix_match}
  2021-03-21 10:03:30 INFO Start checking suffix_match for https://api.github.com
  2021-03-21 10:03:30 INFO nothing found for {url: https://api.github.com, origin: https://evilgithub.com, type: suffix_match}
  2021-03-21 10:03:30 INFO Start checking trust_null for https://api.github.com
  2021-03-21 10:03:30 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com.evil.com, type: prefix_match}
  2021-03-21 10:03:30 INFO Start checking suffix_match for http://api.github.com
  2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: null, type: trust_null}
  2021-03-21 10:03:31 INFO Start checking include_match for https://api.github.com
  2021-03-21 10:03:31 INFO nothing found for {url: http://api.github.com, origin: http://evilgithub.com, type: suffix_match}
  2021-03-21 10:03:31 INFO Start checking trust_null for http://api.github.com
  2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://ithub.com, type: include_match}2021-03-21 10:03:31 INFO Start checking not_escape_dot for https://api.github.com
  2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://api.githubacom, type: not_escape_dot}
  2021-03-21 10:03:31 INFO Start checking custom_third_parties for https://api.github.com
  2021-03-21 10:03:31 INFO nothing found for {url: http://api.github.com, origin: null, type: trust_null}
  2021-03-21 10:03:31 INFO Start checking include_match for http://api.github.com
  2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://whatever.github.io, type: custom_third_parties}
  2021-03-21 10:03:31 INFO nothing found for {url: http://api.github.com, origin: http://ithub.com, type: include_match}
  2021-03-21 10:03:31 INFO Start checking not_escape_dot for http://api.github.com
  2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: http://jsbin.com, type: custom_third_parties}
  2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://codepen.io, type: custom_third_parties}
  2021-03-21 10:03:31 INFO nothing found for {url: http://api.github.com, origin: http://api.githubacom, type: not_escape_dot}
  2021-03-21 10:03:31 INFO Start checking custom_third_parties for http://api.github.com
  2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://jsfiddle.net, type: custom_third_parties}
  2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: https://whatever.github.io, type: custom_third_parties}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: http://www.webdevout.net, type: custom_third_parties}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://repl.it, type: custom_third_parties}
  2021-03-21 10:03:32 INFO Start checking special_characters_bypass for https://api.github.com
  2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: http://jsbin.com, type: custom_third_parties}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com_.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com-.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: https://codepen.io, type: custom_third_parties}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com".evil.com, type: special_characters_bypass}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com{.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: https://jsfiddle.net, type: custom_third_parties}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com}.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: http://www.webdevout.net, type: custom_third_parties}
  2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com^.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: https://repl.it, type: custom_third_parties}
  2021-03-21 10:03:33 INFO Start checking special_characters_bypass for http://api.github.com
  2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%60.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com!.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com_.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com~.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com`.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com-.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com;.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com".evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com|.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com&.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com{.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com&qpos;.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com(.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com}.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com).evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com+.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com*.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com,.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com^.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com$.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com=.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com%60.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com!.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%0b.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:34 INFO Start checking trust_any_subdomain for https://api.github.com
  2021-03-21 10:03:35 INFO nothing found for {url: https://api.github.com, origin: https://evil.api.github.com, type: trust_any_subdomain}
  2021-03-21 10:03:35 INFO Start checking https_trust_http for https://api.github.com
  2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com~.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:35 INFO nothing found for {url: https://api.github.com, origin: http://api.github.com, type: https_trust_http}
  2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com`.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com;.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com|.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com&.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:36 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com'.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:36 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com(.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:36 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com).evil.com, type: special_characters_bypass}
  2021-03-21 10:03:36 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com*.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:37 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com,.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:38 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com$.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:38 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com=.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:38 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com+.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:38 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com%0b.evil.com, type: special_characters_bypass}
  2021-03-21 10:03:38 INFO Start checking trust_any_subdomain for http://api.github.com
  2021-03-21 10:03:39 INFO nothing found for {url: http://api.github.com, origin: http://evil.api.github.com, type: trust_any_subdomain}
  Finished CORS scanning... 

Share to Twitter, Hacker News, LinkedIn.