Analytics CORS issue about partytown HOT 2 CLOSED

For any CORS issues, you'll need to setup a proxy the correct headers can be added by the server: https://github.com/BuilderIO/partytown/wiki/Proxying-Requests#configuring-url-proxies

from partytown.

I had CORS issues and read the link about proxies above. I have a working solution, but I'd like feedback.

Let's say my site is at https://example.com. I set up a new domain at proxy.example.com to act as the proxy for the primary site's Partytown calls. I've got a single file, index.php, in the webserver at proxy.example.com. Here is the content of that file:

https://gist.github.com/johnfmorton/50fb6ee911983a536a7fbfb5c1c3181d

Also, in the nginx.config for the proxy.example.com server, I have added a header to allow example.com.

add_header 'Access-Control-Allow-Origin' 'https://example.com';

In my tests, this proxy does the job. I'm seeing the analytics coming back from Google Analytics that I expect.

But what am I missing? Here's are the guardrails I've got in place.

• I'm checking the headers of incoming requests and only allowing the proxy to be used when I see what I expect.
• I only have "allow origin" headers for the server I want to use the proxy.
• I'm logging metrics (in a very basic way) to a file to see what's happening to the proxy.

How could this proxy be abused? How can it be improved?

Any feedback is greatly appreciated.

Thanks.

from partytown.