Skip to content
This repository has been archived by the owner on Aug 11, 2021. It is now read-only.

add support for CORS headers #108

Closed
maks opened this issue May 31, 2013 · 38 comments
Closed

add support for CORS headers #108

maks opened this issue May 31, 2013 · 38 comments

Comments

@maks
Copy link

maks commented May 31, 2013

I'm working on a npm client to use in-browser and would like to be able to access registry.npmjs.org from a browser webpage without using a proxy.

@isaacs
Copy link
Contributor

isaacs commented May 31, 2013

@iriscouch @jhs Is it possible to enable cors headers on couchdb? Config somewhere?

@isaacs
Copy link
Contributor

isaacs commented May 31, 2013

I think I might have just enabled them. That was super easy. Can you test and see if it works?

@maks
Copy link
Author

maks commented May 31, 2013

Wow thanks so much for such a quick response!!
A quick google found this: http://wiki.apache.org/couchdb/CORS#Enabling_CORS
but I've never used couch before and couldn't see where that config file is in npm src here

@maks
Copy link
Author

maks commented May 31, 2013

I just tried http://registry.npmjs.org/bops/latest but can't see the cors headers?

@isaacs
Copy link
Contributor

isaacs commented May 31, 2013

Yeah, I think I didn't do something. I'll dig into it later. People have
asked for this a few times, so it'd be good to just do it.

On Thursday, May 30, 2013, Maksim Lin wrote:

I should also mention I am testing using curl -II and with
http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&server_url=http%3A%2F%2Fregistry.npmjs.org%2Fbops%2Flatest&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote


Reply to this email directly or view it on GitHubhttps://github.com//issues/108#issuecomment-18717481
.

@maks
Copy link
Author

maks commented May 31, 2013

@isaacs really appreciate you looking at this so quickly! Anytime you get a chance to look into it is fine.

@kumavis
Copy link

kumavis commented Jun 6, 2013

+1

@maks
Copy link
Author

maks commented Nov 28, 2013

@isaacs would you have time to look into this again? with @dominictarr npmd now available it would be useful to try using it even in-browser.

@isaacs
Copy link
Contributor

isaacs commented Dec 2, 2013

@jhs Maybe you could look at this? Did I do something wrong?

I've enabled cors for methods = GET, HEAD (since allowing PUTs and DELETEs would be stupidly dangerous) and for all hosts. However, it's not sending the proper headers, as far as I can tell.

@isaacs
Copy link
Contributor

isaacs commented Dec 2, 2013

Oh, hahaha, nevermind. The issue was that I'd set origin: * instead of origins: *. Note the plural on "origins".

Can you try it now?

@isaacs isaacs closed this as completed Dec 2, 2013
@nathanboktae
Copy link

CORS headers aren't there still. Try $.ajax('https://registry.npmjs.org/mocha') in the console here on github:

$.ajax('https://registry.npmjs.org/mocha')
Object {readyState: 1, getResponseHeader: function, getAllResponseHeaders: function, setRequestHeader: function, overrideMimeType: function…}
XMLHttpRequest cannot load https://registry.npmjs.org/mocha. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://github.com' is therefore not allowed access.

@terinjokes terinjokes reopened this May 28, 2014
@maks
Copy link
Author

maks commented May 28, 2014

I wonder if the change the @isaacs made got backed out some how because I do remember trying it after it got closed and it was working then for me but yes now the headers are gone again.

@eiriksm
Copy link

eiriksm commented Jul 1, 2014

+1
Also working on something that queries npm through the browser and would love to avoid proxying :)

@onaclov2000
Copy link

Any chance this has been resolved? I have been playing with it a little (via angularjs) but can't seem to get around the CORs issue.

Thank you

@pbrinkmeier
Copy link

Please add CORS headers, that would just make everything easier for me.

@maxleiko
Copy link

👍

1 similar comment
@huafu
Copy link

huafu commented Feb 7, 2015

👍

@deathcap
Copy link

👍 would be great if CORS could be (re-?)enabled to open up many new possibilities for web-based interaction with the NPM registry without proxy hacks.

For reference, this is only a CouchDB configuration change (no code change), in case anyone wants to enable CORS on their own npm-registry-couchapp instance, something like this works:

curl -X PUT http://admin:password@localhost:5984/_config/httpd/enable_cors -d '"true"'
curl -X PUT http://admin:password@localhost:5984/_config/cors/origins -d '"*"'
curl -X PUT http://admin:password@localhost:5984/_config/cors/methods -d '"GET, HEAD"'

then test that it is enabled with:

curl -i -H 'Origin: example.com' registry.npmjs.org | grep Access-Control

curl -i -H 'Origin: example.com' localhost:5984 | grep Access-Control
…
Access-Control-Expose-Headers: Cache-Control, Content-Type, Server
Access-Control-Allow-Origin: example.com

@osslate
Copy link

osslate commented Feb 10, 2015

👍

@kumavis
Copy link

kumavis commented Feb 13, 2015

thanks @deathcap!

@kumavis
Copy link

kumavis commented Feb 13, 2015

Here is a CORS proxy service max runs if anyone needs a temporary workaround http://cors.maxogden.com

@manosim
Copy link

manosim commented May 5, 2015

+1 Trying to make a request: XMLHttpRequest cannot load https://registry.npmjs.org/less. Origin http://192.168.1.68:8080 is not allowed by Access-Control-Allow-Origin.

@xixixao
Copy link

xixixao commented Jun 8, 2015

+1

1 similar comment
@zahhak
Copy link

zahhak commented Sep 10, 2015

👍

@kumavis
Copy link

kumavis commented Sep 11, 2015

👍

@luisherranz
Copy link

Want this! 👍

@alexanderbartels
Copy link

👍

@cbornet
Copy link

cbornet commented Jan 14, 2016

👍

@cbornet
Copy link

cbornet commented Jan 15, 2016

@isaacs any chance this can be enabled again or is there a security issue preventing this ?

@zeke
Copy link

zeke commented Jan 22, 2016

Hey @ceejbot, @bcoe, @seldo, @isaacs. Any progress on this? Would really love to migrate people off my proxy app.

@bcoe
Copy link
Contributor

bcoe commented Jan 23, 2016

We had CORS enabled for a period of time, but it unfortunately raised some security concerns: allowing folks to perform arbitrary puts from the browser, opening us up to potential DDoS attacks, etc. We opted to turn CORS back off due to these concerns.

Since this time, we have gradually moved away from adding any updates to npm-registry-couchapp; the codebase has gradually become deprecated as we've moved to a more distributed architecture.

I've officially added a deprecation notice to the repo:

#252

And I'd love for folks to instead join the conversation here:

https://github.com/npm/public-api

Let's decide on what a public API for npm should look like.

@vadzim
Copy link

vadzim commented Apr 16, 2020

For visitors:
You can use unpkg (https://unpkg.com/) instead of https://npmjs.com/
Unpkg is a CDN and sets CORS

@Jolg42
Copy link

Jolg42 commented Feb 1, 2021

Another workaround would be to use npms https://api.npms.io/v2/package/prisma

@jasonkuhrt
Copy link

@vadzim I don't see a way to get the npm package metadata from unpkg?

@Jolg42 that doesn't offer the npm package metadata either?

@Jolg42
Copy link

Jolg42 commented May 10, 2021

@jasonkuhrt npms offers the same with some differences but mostly the same with extra fields. Though npms had issues in the past with stale data.

@Jolg42
Copy link

Jolg42 commented May 10, 2021

The discussion continues here since this issue is closed and not monitored I guess.

npm/feedback#117

@jasonkuhrt
Copy link

This works for us for now https://npmjs.cf/

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests