Technical Guide
The CORS Dilemmafor Web RSS Readers
Why browser-based feed readers face a unique challenge—and how we solved it while keeping your privacy intact.
~60%
of blogs block browser requests
100%
private with our extension
0
rate limits with extension
Open
source & auditable
Privacy by Architecture
Unlike traditional feed readers that store and process your content on their servers, we fetch and cache everything locally in your browser. Your reading habits, followed blogs, and feed content never touch our servers.
But this privacy-first architecture comes with a challenge: CORS.
What is CORS?
Cross-Origin Resource Sharing is a browser security feature that prevents websites from making requests to different domains. It's fundamental to web security.
This protection stops malicious websites from stealing data from sites you're logged into. But for legitimate use cases like RSS readers, it creates a hurdle.
What happens
blogsareback.comexample-blog.com/feed.xmlHow blogs can opt-in
Blogs can add a simple HTTP header: Access-Control-Allow-Origin: *. This tells browsers "it's okay, let anyone read this." But most blogs don't have this configured.
Why Most Feeds Don't Have CORS
RSS was designed in the early 2000s, long before CORS existed. Traditional RSS readers were desktop apps or server-side apps—neither subject to CORS restrictions.
Desktop apps
Make requests directly—no CORS restrictions apply outside the browser sandbox
Server-side readers
Fetch feeds on the server and serve to users—CORS only affects browser requests
Our Three-Tier Solution
We try the best option first and gracefully fall back to alternatives
Browser Extension
RecommendedOur open-source extension runs in a privileged context that bypasses CORS entirely. Zero server involvement, unlimited speed.
Direct Browser Fetch
~30-40% of feedsFor blogs with CORS headers enabled, we fetch directly from the browser. Zero server load, instant response.
Server Proxy
FallbackWhen neither the extension nor direct fetch works, we fall back to our server proxy. It works, but with limitations.
What You Can Do
For Readers
Install our browser extension for the best experience. It's open source, takes 30 seconds, and dramatically improves performance while maintaining full privacy.
For Bloggers
Help all web-based RSS readers by enabling CORS on your feed. It's a simple header addition:
This is completely safe for public RSS feeds—it just tells browsers "anyone can read this."
View setup instructions for your platformTechnical FAQ
Why not just run everything through your server?
We could, but that means all your reading activity flows through us. We believe in privacy by architecture—when feeds are fetched in your browser, we can't see what you're reading. That's a stronger guarantee than "we promise not to look."
Is your proxy safe from attacks?
Yes. Our proxy includes comprehensive SSRF protection, blocking requests to private IP ranges, cloud metadata endpoints, and internal services. We validate content types to ensure only actual feed content passes through.
What data does the extension access?
The extension only activates for feed URLs and our domain. It can't read your browsing history, inject scripts, or access data from other sites. The source code is public—verify it yourself.
What if I don't want to install an extension?
That's fine! The app works without it. You'll use our server proxy for CORS-blocked feeds, and blogs with CORS enabled will still load directly. You may hit rate limits if you follow many blogs.
Questions or Feedback?
We're always working to improve. If you have ideas for how we can make the CORS situation better, we'd love to hear from you.