Soap Reader — CORS Proxy

Load any WSDL on wsdlsoap.com — CORS bypass, Basic Auth, mTLS, custom headers, smart auth detection and WSDL discovery.

SOAP Reader — CORS Proxy is the official companion extension for wsdlsoap.com, the in-browser WSDL analyzer and SOAP request builder. It lets you load WSDL files from any server — even those protected by CORS, Basic Auth, mTLS, or custom authentication headers — directly from the wsdlsoap.com analyzer, with zero server-side configuration. If you have ever tried to inspect a WSDL from a corporate, intranet, or third-party SOAP service and been blocked by "CORS error", "401 Unauthorized", or a self-signed certificate prompt, this is the extension that fixes it. ═══════════════════════════════ WHAT YOU CAN DO ═══════════════════════════════ — CORS bypass — - Extension bridge: routes WSDL fetches and SOAP test requests through the service worker so the wsdlsoap.com page can read responses that block cross-origin access. - declarativeNetRequest CORS injection (Chrome/Edge/Brave/Opera): optionally injects Access-Control-Allow-Origin headers into responses so the page can fetch directly, no round-trip through the extension. — Authentication — - Basic Auth: store a username + password once; applied automatically to every WSDL fetch. - mTLS client certificates: upload a .p12, .pfx, or .pem certificate. On ChromeOS the extension registers it via chrome.certificateProvider for the TLS handshake. On Windows / macOS / Linux the popup walks you through installing the cert in the OS trust store. - Custom headers: add any HTTP headers (API keys, bearer tokens, session cookies, x-api-key, etc.) — applied to every proxied request. - Smart Auth Detection: paste an endpoint URL, click "Auto-Detect", and the extension sends a HEAD request and reports the auth scheme (Basic, Bearer, Digest, NTLM, Custom, None, or "Authentication Required"). - Auth Presets: save any detected configuration as a named preset and apply it with one click. — WSDL Discovery — - Google Dorks builder: generate targeted Google search queries to find public WSDL, XSD, and ASMX endpoints by site, URL pattern, and filetype. Preview the query, copy it, or open it directly in Google. — Local Proxy tools (downloadable from the popup) — - local-proxy.js: zero-dependency Node.js CORS proxy for corporate / VPN-only WSDLs. Includes a --once flag for one-shot use. - local-proxy.py: Python equivalent for teams without Node.js. - Tampermonkey script: userscript alternative that injects CORS headers without installing a full extension. — AI / Claude integration (WebMCP · Beta) — - wsdlsoap.com registers 5 tools via the W3C-standard WebMCP API (navigator.modelContext) for Claude, Cursor, and other WebMCP-aware AI assistants directly on the page. This extension supplies the optional CORS/auth/mTLS fetch backend the load_wsdl tool uses. Beta: WebMCP is in Chrome's Early Preview Program and may change. The 5 tools: • load_wsdl — fetch and parse a WSDL by URL. • list_services — list services and ports. • list_operations — list operations (with optional service filter). • get_operation — full operation detail (input/output, binding, SOAP action). • generate_soap_request — generate a sample SOAP XML envelope. ═══════════════════════════════ HOW IT WORKS ═══════════════════════════════ When you visit wsdlsoap.com (or localhost during development) the extension injects a tiny flag (window.__soapReaderExtension) into the page before any site script runs. The wsdlsoap.com analyzer detects the flag and routes its WSDL fetches and SOAP test requests through the extension's service worker instead of issuing a direct fetch from the page — bypassing CORS, applying stored credentials, and presenting your client certificate during the TLS handshake when required. Architecture: wsdlsoap.com page → content script (isolated world) → background service worker → target WSDL server → response back to the page. ═══════════════════════════════ PRIVACY — NO TRACKING. NO SERVER. NO ADS. ═══════════════════════════════ - Every fetch happens directly between your browser and the WSDL server you choose. The extension does NOT proxy through any third-party server. - Credentials, certificates, and custom headers are stored in chrome.storage.local — never transmitted anywhere except to the specific WSDL endpoint you target. - No analytics, no telemetry, no tracking pixels, no ads. - Origin guard: the content script only relays messages from wsdlsoap.com, www.wsdlsoap.com, localhost, and 127.0.0.1. Any other origin is ignored. ═══════════════════════════════ COMPATIBILITY ═══════════════════════════════ - Chrome 88+, Microsoft Edge 88+, Brave, Opera (full feature set). - mTLS via chrome.certificateProvider is ChromeOS-only; on Windows / macOS / Linux, install the certificate in the OS trust store (the popup includes step-by-step instructions for each platform). - Firefox 113+ supported via a separate build (no DNR CORS toggle there). ═══════════════════════════════ WHO SHOULD USE THIS ═══════════════════════════════ - Backend / integration engineers debugging SOAP services. - QA / SDET inspecting WSDL contracts and building sample requests. - Architects auditing public or partner SOAP endpoints. - Anyone who landed on wsdlsoap.com, pasted a WSDL URL, and got "Failed to fetch" or a CORS error. More tools at wsdlsoap.com