cawfree / sameorigin Goto Github PK

🤖 🧪 Masquerade as if you were their own frontend.

sameorigin generalizes the process of Same-Origin-Resource-Crossing, which allows you to work around the domain-based restrictions centralized services use to protect their APIs from third parties.

You can install sameorigin via yarn:

yarn add @cawfree/sameorigin

Next, declare the domain you wish to squat on. In the following example, let's assume I want to bypass the CloudFlare restrictions on the Blur Marketplace:

import {sameorigin} from '@cawfree/sameorigin';

const [axios, {close}] = await sameorigin({
  // Define the website url that has access permissions and generates some requests.
  squatURL: 'https://blur.io/airdrop',
});

const {data} = await axios({
  // Important! You must declare the baseURL of the API you intend
  // to target. This is because it is used to isolate requests you
  // intend to hijack for your own purposes.
  baseURL: 'https://core-api.prod.blur.io/v1',
    
  // GET https://core-api.prod.blur.io/v1/prices
  url: '/prices',
  method: 'get',
});

// Once finished, you'll need to close your client to prevent
// memory leaks.
await close();

Warning

Some interfaces defend against tools like sameorigin by making an analysis of the runtime window. If you find your requests are being rejected, please instantiate sameorigin using headless: false as a workaround.

When making a call to sameorigin, we allocate an instance of puppeteer in the background which is used to capture requests and serve as a trusted origin for API requests to originate from.

We make the page available via an express server which manages the life cycle of pages, captures requests which satisfy CloudFlare's protections and dynamically inject them with custom query data.

This process is masked behind the returned axios client. The underlying process of squatting on pages, hijacking requests and returning the data as if it were a conventional fetch request are abstracted away from the caller.

CC0-1.0