But, this required users to have access to a web server.
I very briefly considered setting up a public instance, but I'm not a professional web developer and didn't know what the implications would be, either for the overall security of my server, or in bandwidth costs, particularly if malicious users started using the "proxy" for other things. All of the client-side code is out in the open, so it also wasn't clear how I'd make an authentication scheme. I'm sure there's a way, but again, not a web developer!
I think the suggestion is to skip a web server at all and go "serverless" with Cloudflare Workers, which are free for up to 100,000 requests/day: https://workers.cloudflare.com/
If your Worker code hardcodes the Dark Sky domain, the worst an attacker could do is either use up your free worker quota from Cloudflare, or hammer Dark Sky at the Worker ratelimit (1,000/minute, which Dark Sky should easily handle).
AWS, Azure, GCP all also have free tiers for their serverless services. RunKit (http://runkit.com) might also work.
These are all likely to be HTTPS-only, but hopefully at least one of them supports TLS v1.1, rather than being 1.2-only like apparently is the problem with Dark Sky.
I very briefly considered setting up a public instance, but I'm not a professional web developer and didn't know what the implications would be, either for the overall security of my server, or in bandwidth costs, particularly if malicious users started using the "proxy" for other things. All of the client-side code is out in the open, so it also wasn't clear how I'd make an authentication scheme. I'm sure there's a way, but again, not a web developer!