Skip to content
This repository has been archived by the owner. It is now read-only.

add support for CORS headers #108

Closed
maks opened this issue May 31, 2013 · 38 comments
Closed

add support for CORS headers #108

maks opened this issue May 31, 2013 · 38 comments

Comments

@maks
Copy link

@maks maks commented May 31, 2013

I'm working on a npm client to use in-browser and would like to be able to access registry.npmjs.org from a browser webpage without using a proxy.

@isaacs
Copy link
Contributor

@isaacs isaacs commented May 31, 2013

@iriscouch @jhs Is it possible to enable cors headers on couchdb? Config somewhere?

@isaacs
Copy link
Contributor

@isaacs isaacs commented May 31, 2013

I think I might have just enabled them. That was super easy. Can you test and see if it works?

@maks
Copy link
Author

@maks maks commented May 31, 2013

Wow thanks so much for such a quick response!!
A quick google found this: http://wiki.apache.org/couchdb/CORS#Enabling_CORS
but I've never used couch before and couldn't see where that config file is in npm src here

@maks
Copy link
Author

@maks maks commented May 31, 2013

I just tried http://registry.npmjs.org/bops/latest but can't see the cors headers?

@isaacs
Copy link
Contributor

@isaacs isaacs commented May 31, 2013

Yeah, I think I didn't do something. I'll dig into it later. People have
asked for this a few times, so it'd be good to just do it.

On Thursday, May 30, 2013, Maksim Lin wrote:

I should also mention I am testing using curl -II and with
http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&server_url=http%3A%2F%2Fregistry.npmjs.org%2Fbops%2Flatest&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote


Reply to this email directly or view it on GitHubhttps://github.com//issues/108#issuecomment-18717481
.

@maks
Copy link
Author

@maks maks commented May 31, 2013

@isaacs really appreciate you looking at this so quickly! Anytime you get a chance to look into it is fine.

@kumavis
Copy link

@kumavis kumavis commented Jun 6, 2013

+1

@maks
Copy link
Author

@maks maks commented Nov 28, 2013

@isaacs would you have time to look into this again? with @dominictarr npmd now available it would be useful to try using it even in-browser.

@isaacs
Copy link
Contributor

@isaacs isaacs commented Dec 2, 2013

@jhs Maybe you could look at this? Did I do something wrong?

I've enabled cors for methods = GET, HEAD (since allowing PUTs and DELETEs would be stupidly dangerous) and for all hosts. However, it's not sending the proper headers, as far as I can tell.

@isaacs
Copy link
Contributor

@isaacs isaacs commented Dec 2, 2013

Oh, hahaha, nevermind. The issue was that I'd set origin: * instead of origins: *. Note the plural on "origins".

Can you try it now?

@isaacs isaacs closed this Dec 2, 2013
@nathanboktae
Copy link

@nathanboktae nathanboktae commented May 26, 2014

CORS headers aren't there still. Try $.ajax('https://registry.npmjs.org/mocha') in the console here on github:

$.ajax('https://registry.npmjs.org/mocha')
Object {readyState: 1, getResponseHeader: function, getAllResponseHeaders: function, setRequestHeader: function, overrideMimeType: function…}
XMLHttpRequest cannot load https://registry.npmjs.org/mocha. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://github.com' is therefore not allowed access.

@terinjokes terinjokes reopened this May 28, 2014
@maks
Copy link
Author

@maks maks commented May 28, 2014

I wonder if the change the @isaacs made got backed out some how because I do remember trying it after it got closed and it was working then for me but yes now the headers are gone again.

@eiriksm
Copy link

@eiriksm eiriksm commented Jul 1, 2014

+1
Also working on something that queries npm through the browser and would love to avoid proxying :)

@onaclov2000
Copy link

@onaclov2000 onaclov2000 commented Aug 15, 2014

Any chance this has been resolved? I have been playing with it a little (via angularjs) but can't seem to get around the CORs issue.

Thank you

@pbrinkmeier
Copy link

@pbrinkmeier pbrinkmeier commented Jan 11, 2015

Please add CORS headers, that would just make everything easier for me.

@maxleiko
Copy link

@maxleiko maxleiko commented Jan 27, 2015

👍

1 similar comment
@huafu
Copy link

@huafu huafu commented Feb 7, 2015

👍

@deathcap
Copy link

@deathcap deathcap commented Feb 10, 2015

👍 would be great if CORS could be (re-?)enabled to open up many new possibilities for web-based interaction with the NPM registry without proxy hacks.

For reference, this is only a CouchDB configuration change (no code change), in case anyone wants to enable CORS on their own npm-registry-couchapp instance, something like this works:

curl -X PUT http://admin:password@localhost:5984/_config/httpd/enable_cors -d '"true"'
curl -X PUT http://admin:password@localhost:5984/_config/cors/origins -d '"*"'
curl -X PUT http://admin:password@localhost:5984/_config/cors/methods -d '"GET, HEAD"'

then test that it is enabled with:

curl -i -H 'Origin: example.com' registry.npmjs.org | grep Access-Control

curl -i -H 'Origin: example.com' localhost:5984 | grep Access-Control
…
Access-Control-Expose-Headers: Cache-Control, Content-Type, Server
Access-Control-Allow-Origin: example.com

@osslate
Copy link

@osslate osslate commented Feb 10, 2015

👍

@kumavis
Copy link

@kumavis kumavis commented Feb 13, 2015

thanks @deathcap!

@kumavis
Copy link

@kumavis kumavis commented Feb 13, 2015

Here is a CORS proxy service max runs if anyone needs a temporary workaround http://cors.maxogden.com

@manosim
Copy link

@manosim manosim commented May 5, 2015

+1 Trying to make a request: XMLHttpRequest cannot load https://registry.npmjs.org/less. Origin http://192.168.1.68:8080 is not allowed by Access-Control-Allow-Origin.

@xixixao
Copy link

@xixixao xixixao commented Jun 8, 2015

+1

1 similar comment
@zahhak
Copy link

@zahhak zahhak commented Sep 10, 2015

👍

@kumavis
Copy link

@kumavis kumavis commented Sep 11, 2015

👍

@luisherranz
Copy link

@luisherranz luisherranz commented Oct 10, 2015

Want this! 👍

@alexanderbartels
Copy link

@alexanderbartels alexanderbartels commented Nov 26, 2015

👍

@cbornet
Copy link

@cbornet cbornet commented Jan 14, 2016

👍

@cbornet
Copy link

@cbornet cbornet commented Jan 15, 2016

@isaacs any chance this can be enabled again or is there a security issue preventing this ?

@zeke
Copy link

@zeke zeke commented Jan 22, 2016

Hey @ceejbot, @bcoe, @seldo, @isaacs. Any progress on this? Would really love to migrate people off my proxy app.

@bcoe
Copy link
Contributor

@bcoe bcoe commented Jan 23, 2016

We had CORS enabled for a period of time, but it unfortunately raised some security concerns: allowing folks to perform arbitrary puts from the browser, opening us up to potential DDoS attacks, etc. We opted to turn CORS back off due to these concerns.

Since this time, we have gradually moved away from adding any updates to npm-registry-couchapp; the codebase has gradually become deprecated as we've moved to a more distributed architecture.

I've officially added a deprecation notice to the repo:

#252

And I'd love for folks to instead join the conversation here:

https://github.com/npm/public-api

Let's decide on what a public API for npm should look like.

@vadzim
Copy link

@vadzim vadzim commented Apr 16, 2020

For visitors:
You can use unpkg (https://unpkg.com/) instead of https://npmjs.com/
Unpkg is a CDN and sets CORS

@Jolg42
Copy link

@Jolg42 Jolg42 commented Feb 1, 2021

Another workaround would be to use npms https://api.npms.io/v2/package/prisma

@jasonkuhrt
Copy link

@jasonkuhrt jasonkuhrt commented May 10, 2021

@vadzim I don't see a way to get the npm package metadata from unpkg?

@Jolg42 that doesn't offer the npm package metadata either?

@Jolg42
Copy link

@Jolg42 Jolg42 commented May 10, 2021

@jasonkuhrt npms offers the same with some differences but mostly the same with extra fields. Though npms had issues in the past with stale data.

@Jolg42
Copy link

@Jolg42 Jolg42 commented May 10, 2021

The discussion continues here since this issue is closed and not monitored I guess.

npm/feedback#117

@jasonkuhrt
Copy link

@jasonkuhrt jasonkuhrt commented May 16, 2021

This works for us for now https://npmjs.cf/

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet