Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for CORS headers #108

Closed
maks opened this issue May 31, 2013 · 32 comments

Comments

Projects
None yet
@maks
Copy link

commented May 31, 2013

I'm working on a npm client to use in-browser and would like to be able to access registry.npmjs.org from a browser webpage without using a proxy.

@isaacs

This comment has been minimized.

Copy link
Member

commented May 31, 2013

@iriscouch @jhs Is it possible to enable cors headers on couchdb? Config somewhere?

@isaacs

This comment has been minimized.

Copy link
Member

commented May 31, 2013

I think I might have just enabled them. That was super easy. Can you test and see if it works?

@maks

This comment has been minimized.

Copy link
Author

commented May 31, 2013

Wow thanks so much for such a quick response!!
A quick google found this: http://wiki.apache.org/couchdb/CORS#Enabling_CORS
but I've never used couch before and couldn't see where that config file is in npm src here

@maks

This comment has been minimized.

Copy link
Author

commented May 31, 2013

I just tried http://registry.npmjs.org/bops/latest but can't see the cors headers?

@isaacs

This comment has been minimized.

Copy link
Member

commented May 31, 2013

Yeah, I think I didn't do something. I'll dig into it later. People have
asked for this a few times, so it'd be good to just do it.

On Thursday, May 30, 2013, Maksim Lin wrote:

I should also mention I am testing using curl -II and with
http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&server_url=http%3A%2F%2Fregistry.npmjs.org%2Fbops%2Flatest&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote


Reply to this email directly or view it on GitHubhttps://github.com//issues/108#issuecomment-18717481
.

@maks

This comment has been minimized.

Copy link
Author

commented May 31, 2013

@isaacs really appreciate you looking at this so quickly! Anytime you get a chance to look into it is fine.

@kumavis

This comment has been minimized.

Copy link

commented Jun 6, 2013

+1

@maks

This comment has been minimized.

Copy link
Author

commented Nov 28, 2013

@isaacs would you have time to look into this again? with @dominictarr npmd now available it would be useful to try using it even in-browser.

@isaacs

This comment has been minimized.

Copy link
Member

commented Dec 2, 2013

@jhs Maybe you could look at this? Did I do something wrong?

I've enabled cors for methods = GET, HEAD (since allowing PUTs and DELETEs would be stupidly dangerous) and for all hosts. However, it's not sending the proper headers, as far as I can tell.

@isaacs

This comment has been minimized.

Copy link
Member

commented Dec 2, 2013

Oh, hahaha, nevermind. The issue was that I'd set origin: * instead of origins: *. Note the plural on "origins".

Can you try it now?

@isaacs isaacs closed this Dec 2, 2013

@nathanboktae

This comment has been minimized.

Copy link

commented May 26, 2014

CORS headers aren't there still. Try $.ajax('https://registry.npmjs.org/mocha') in the console here on github:

$.ajax('https://registry.npmjs.org/mocha')
Object {readyState: 1, getResponseHeader: function, getAllResponseHeaders: function, setRequestHeader: function, overrideMimeType: function…}
XMLHttpRequest cannot load https://registry.npmjs.org/mocha. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://github.com' is therefore not allowed access.

@terinjokes terinjokes reopened this May 28, 2014

@maks

This comment has been minimized.

Copy link
Author

commented May 28, 2014

I wonder if the change the @isaacs made got backed out some how because I do remember trying it after it got closed and it was working then for me but yes now the headers are gone again.

@eiriksm

This comment has been minimized.

Copy link

commented Jul 1, 2014

+1
Also working on something that queries npm through the browser and would love to avoid proxying :)

@onaclov2000

This comment has been minimized.

Copy link

commented Aug 15, 2014

Any chance this has been resolved? I have been playing with it a little (via angularjs) but can't seem to get around the CORs issue.

Thank you

@anvaka anvaka referenced this issue Sep 9, 2014

Closed

registry #1

@pbrinkmeier

This comment has been minimized.

Copy link

commented Jan 11, 2015

Please add CORS headers, that would just make everything easier for me.

@maxleiko

This comment has been minimized.

Copy link

commented Jan 27, 2015

👍

1 similar comment
@huafu

This comment has been minimized.

Copy link

commented Feb 7, 2015

👍

@deathcap

This comment has been minimized.

Copy link

commented Feb 10, 2015

👍 would be great if CORS could be (re-?)enabled to open up many new possibilities for web-based interaction with the NPM registry without proxy hacks.

For reference, this is only a CouchDB configuration change (no code change), in case anyone wants to enable CORS on their own npm-registry-couchapp instance, something like this works:

curl -X PUT http://admin:password@localhost:5984/_config/httpd/enable_cors -d '"true"'
curl -X PUT http://admin:password@localhost:5984/_config/cors/origins -d '"*"'
curl -X PUT http://admin:password@localhost:5984/_config/cors/methods -d '"GET, HEAD"'

then test that it is enabled with:

curl -i -H 'Origin: example.com' registry.npmjs.org | grep Access-Control

curl -i -H 'Origin: example.com' localhost:5984 | grep Access-Control
…
Access-Control-Expose-Headers: Cache-Control, Content-Type, Server
Access-Control-Allow-Origin: example.com
@sigkell

This comment has been minimized.

Copy link

commented Feb 10, 2015

👍

@kumavis

This comment has been minimized.

Copy link

commented Feb 13, 2015

thanks @deathcap!

@kumavis

This comment has been minimized.

Copy link

commented Feb 13, 2015

Here is a CORS proxy service max runs if anyone needs a temporary workaround http://cors.maxogden.com

@manosim

This comment has been minimized.

Copy link

commented May 5, 2015

+1 Trying to make a request: XMLHttpRequest cannot load https://registry.npmjs.org/less. Origin http://192.168.1.68:8080 is not allowed by Access-Control-Allow-Origin.

@xixixao

This comment has been minimized.

Copy link

commented Jun 8, 2015

+1

@zahhak

This comment has been minimized.

Copy link

commented Sep 10, 2015

👍

1 similar comment
@kumavis

This comment has been minimized.

Copy link

commented Sep 11, 2015

👍

@luisherranz

This comment has been minimized.

Copy link

commented Oct 10, 2015

Want this! 👍

@alexanderbartels

This comment has been minimized.

Copy link

commented Nov 26, 2015

👍

@cbornet

This comment has been minimized.

Copy link

commented Jan 14, 2016

👍

@cbornet

This comment has been minimized.

Copy link

commented Jan 15, 2016

@isaacs any chance this can be enabled again or is there a security issue preventing this ?

@zeke

This comment has been minimized.

Copy link

commented Jan 22, 2016

Hey @ceejbot, @bcoe, @seldo, @isaacs. Any progress on this? Would really love to migrate people off my proxy app.

@bcoe

This comment has been minimized.

Copy link
Contributor

commented Jan 23, 2016

We had CORS enabled for a period of time, but it unfortunately raised some security concerns: allowing folks to perform arbitrary puts from the browser, opening us up to potential DDoS attacks, etc. We opted to turn CORS back off due to these concerns.

Since this time, we have gradually moved away from adding any updates to npm-registry-couchapp; the codebase has gradually become deprecated as we've moved to a more distributed architecture.

I've officially added a deprecation notice to the repo:

#252

And I'd love for folks to instead join the conversation here:

https://github.com/npm/public-api

Let's decide on what a public API for npm should look like.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.