CORS header not working for Api's with API keys

Developers Workers
1

I created a cloudflare worker for adding CORS headers to prevent my flutter web app from getting CORS errors. I copied the code from the cloudflare example

(https://developers.cloudflare.com/workers/examples/cors-header-proxy). The only thing that I changed is to change the API_URL to a valid Google Maps API url (for testing). Now if I type in the url of my worker (https://corsproxy.info-sunclicker.workers.dev/) in the browser, I see that I get a valid response without CORS proxy. But with CORS proxy and CORS proxy + preflight I get a response with this error message: “You must use an API key to authenticate each request to Google Maps Platform APIs”

It is strange because without cors proxy I get this valid response, so the API key is definitely correct: {“results”:[{“address_components”:[{“long_name”:“New York City”,“short_name”:“New York City”,“types”:[“locality”,“political”]},{“long_name”:“New York”,“short_name”:“NY”,“types”:[“administrative_area_level_1”,“political”]},{“long_name”:“USA”,“short_name”:“US”,“types”:[“country”,“political”]}],“formatted_address”:“New York City, New York, USA”,“geometry”:{“bounds”:{“northeast”:{“lat”:40.9175771,“lng”:-73.70027209999999},“southwest”:{“lat”:40.4773991,“lng”:-74.25908989999999}},“location”:{“lat”:40.7127753,“lng”:-74.0059728},“location_type”:“APPROXIMATE”,“viewport”:{“northeast”:{“lat”:40.9175771,“lng”:-73.70027209999999},“southwest”:{“lat”:40.4773991,“lng”:-74.25908989999999}}},“place_id”:“ChIJOwg_06VPwokRYv534QaPC8g”,“types”:[“locality”,“political”]}],“status”:“OK”}

I also tried a MapQuest API url which also requires an API key, but I get the same result there.

Does anybody know how I can fix this error?
Thanks in advance!

4

Can you share app URL? What are the errors you are seeing in the app?

5

In the app I am getting the exact same error response as you get when you open the worker url https://corsproxy.info-sunclicker.workers.dev/ in the browser.
In the app I am using this url for sending http requests: https://corsproxy.info-sunclicker.workers.dev/corsproxy/?apiurl=https://maps.googleapis.com/maps/api/geocode/json?address=New+York&key=Your_API_KEY (simply replace YOUR_API_KEY with your actual API key. Getting images for example works perfectly fine like this example: https://corsproxy.info-sunclicker.workers.dev/corsproxy/?apiurl=https://yt3.googleusercontent.com/G-xQ-34A-GcfZm9ByvMnFEf1TjOatTKrJ3g0XaL1kXqCbin-7hTXhQBDe3VYtcAhx59iKG9C5jA=s900-c-k-c0x00ffffff-no-rj

Also other Api’s like this free pokemon API which don’t require an API key works perfectly fine: https://corsproxy.info-sunclicker.workers.dev/corsproxy/?apiurl=https://pokeapi.co/api/v2/pokemon/ditto

6

I don’t see a CORS error, I see an API authentication error.

I don’t have an API KEY.

Can you share the real app URL for me to test?

8

I don’t see a CORS error, I see an API authentication error.

Yes that is the actual problem. Without using the worker proxy I get CORS errors. But if I try to use the worker proxy I get the authentication error.

Can you share the real app URL for me to test?

Yes. I can share it to you. But I first need to publish it later (I’m not at home right now). I just tested all locally with also getting the the error response with getting the Authentication error)

9

Do you understand how CORS works?

10

Do you understand how CORS works?

Actually I think I know what the problem basically is (sharing resources which has not the same origin in the URL are causing CORS errors). But to be honest I don’t know much more deeper details. This is my first web app and I never dealed with this kind of web stuff before. So this is replay challenging for me. I also don’t plan to go deeper into web development. I only want to use the web app for private usage. To reach my app from anywhere without installing an app I decided to make a flutter web app, because I know how to develop in flutter.

11

Yes.

If your site requests something from another site that doesn’t explicitly allow it (e.g. Access-Control-Allow-Origin: * header) then the browser won’t load it. The only way to “fix” this is to fix the headers on the requested resource. This is only possible if you control the requested resource.

12

The only way to “fix” this is to fix the headers on the requested resource

I thought this could also be fixed by using a proxy. Cause If I host my Web App on Cloudflare and that proxy is also on the cloudflare server, they have the same origin again which prevents any CORS errors. Is this not as I think? I also found this demo proxy (CORS anywhere). This seems to work fine for me. There I am not getting any authentication errors. But as I said: It’s only a demo and I therefore I can’t use it for my case. https://cors-anywhere.herokuapp.com/corsdemo/

13

Haven’t seen this before.

It won’t run on Cloudflare in its current form as it is a Node.js app.

15

Yeah it’s not on cloudflare.

So what would you do to fix the error?
Basically I need something to do http requests to Google’s maps API from a website which is hosted on cloudflare. The CORS anywhere proxy would be perfect if it would allow you to use it not only for testing purposes. Is there any chance to run that in a cloudflare worker? I found this repository but I don’t know how I have to set this up in a cloudflare worker https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://github.com/Zibri/cloudflare-cors-anywhere&ved=2ahUKEwj12LuGuMeAAxXUM-wKHcDfA9IQFnoECAwQAQ&usg=AOvVaw11LW6EFUjNAn-ZOV5lXJVk

16

See my previous post for the answer.

17

I finally found a solution. I found this script on Github: https://gist.github.com/rchrd2/dc74d4802050e3af62a125b048a53c71

I put that code into a cloudflare worker and now everything works as expected. I get a valid response without any CORS errors and without any Authentifikation errors. Exactly what I was looking for.

Thank you very much anyways for you help!