With URL Normalization off, URLs are still being normalized, but only with query params

With URL Normalization off, URLs are still being normalized, but only with query params.

We run a CORS Proxy to support some browser based tools that need to make requests to third party data sources that do not add CORS headers. It’s accessed by appending a URL to https://cors-proxy. e.g. https://cors-proxy./https://google.com

When a query parameter is included in the URL, it appears that Cloudflare is normalizing the URL in the path.

Request:
https://cors-proxy./https:///?test=123
Expected URL on proxy server
https://cors-proxy./https:///?test=123
Actual request received on proxy server
https://cors-proxy./https://?test=123

Note the single slash in the https. This obviously is an invalid URL. The below example works as expected:
Request:
https://cors-proxy./https:///whatever
Expected URL on proxy server
https://cors-proxy./https:///whatever
Actual request received on proxy server
https://cors-proxy./https:///whatever

URL Normalization is turned off in the site config.

Looks like the forum ate my formatting.

Request:
https://cors-proxy.domain.com/https://otherdomain.com/resource?test=123
Expected URL on proxy server
https://cors-proxy.domain.com/https://otherdomain.com/resource?test=123
Actual request received on proxy server
https://cors-proxy.domain.com/https:/otherdomain.com/resource?test=123

Without a query param:

Request:
https://cors-proxy.domain.com/https://otherdomain.com/resource
Expected URL on proxy server
https://cors-proxy.domain.com/https://otherdomain.com/resource
Actual request received on proxy server
https://cors-proxy.domain.com/https://otherdomain.com/resource

Are you saying that both of these are disabled?

Correct! Here’s a screenshot of my dashboard, which looks just like that:

Hi, is this still an issue? We had a bug last week which was fixed on Friday.

1 Like

I had modified the proxy we were using to strip out http:/ and https:// and use the appropriate protocols, but I reverted that change temporarily with some additional logging and it appears that it is indeed fixed. Pretty funny timing that the bug happened to be fixed right after the deployment and forum post.

Thanks!

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.