Skip to content
This repository has been archived by the owner on Aug 23, 2018. It is now read-only.

CORS #110

Open
legodude17 opened this issue Jan 9, 2017 · 15 comments
Open

CORS #110

legodude17 opened this issue Jan 9, 2017 · 15 comments

Comments

@legodude17
Copy link

I would like to use the registry for a browser side npm client, but the npm registry does not have CORS enabled. Could you please add that? It would be very helpful.
@zeke
Copy link

zeke commented Jan 9, 2017

I think you've opened this issue in the right place, but here's some backstory from where the issue used to live: npm/npm-registry-couchapp#108

@ashleygwilliams
Copy link
Contributor

hey! i dont think we're ready to offer CORs at this time because of security issues. you can however standup your own CORs anywhere (https://github.com/Rob--W/cors-anywhere) and that should work for ya!

@zeke
Copy link

zeke commented Jan 9, 2017

It sounds like the security issues were only for write operations like PUT. What about enabling CORS just for read requests like GET and HEAD?

@ashleygwilliams
Copy link
Contributor

i think it would be a great idea! it will not be solved immediately though, @zeke. in the meantime, the solution i shared can give @legodude17 a working solution right away.

@legodude17
Copy link
Author

Awesome! Thank you for the quick response @ashleygwilliams!

@WebReflection
Copy link
Contributor

WebReflection commented Jan 28, 2017
edited
Loading

I've followed this issue too and I didn't understand the problem ... you could enable only HEAD and GET operations, no need to enable POST, PUT, and DELETE too, right?

Please add HEAD and GET options for CORS, it'd be awesome, thank you!!!

@legodude17
Copy link
Author

@WebReflection, @ashleygwilliams said that it would happen, but not right now.

@WebReflection
Copy link
Contributor

I wasn't sure @ashleygwilliams was part of the team and there's no assignee yet, hence my post.

By any chance we can have an ETA for this? Thanks!

@legodude17
Copy link
Author

You would have to ask @ashleygwilliams. 😄

@WebReflection
Copy link
Contributor

mentioned indeed in my previous post ;-)

@WebReflection
Copy link
Contributor

@ashleygwilliams any possible estimation time for this, if it'll ever happen?

@broofa
Copy link

broofa commented Oct 13, 2017

FWIW, a not-horrible workaround is to use a CORS proxy service like http://cors-proxy.htmldriven.com/

That said, depending on 3rd-party services is less than ideal. E.g. if an app using them gets Reddit-hugged, it could bring the service down.

@WebReflection
Copy link
Contributor

@broofa nobody wants to use third parts unless it's unpkg.com, which is already CORS enabled.

Unfortunately though, there's no way to know package details without redirection which is not sync XHR friendly for libraries/tools that need it.

@nikitaeverywhere nikitaeverywhere mentioned this issue Oct 23, 2017
Closed
@rajsite
Copy link

rajsite commented May 1, 2018

Dunno if I should make a separate issue but the use case I'm looking at is to just have package metadata (specifically dist-tags) served with CORS enabled; I'm not manipulating packages themselves.

Is there less of a risk for just having package metadata available with CORS enabled?

@rajsite rajsite mentioned this issue May 1, 2018
Open
@toporelo
Copy link

toporelo commented May 14, 2018
edited
Loading

toporelowery777@gmail.com

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@zeke @WebReflection @broofa @ashleygwilliams @rajsite @legodude17 @toporelo