Skip to content


Subversion checkout URL

You can clone with
Download ZIP


jsonp is not working for #157

anvaka opened this Issue · 13 comments

6 participants



I'm trying to use npm from a browser.

This returns valid jsonp response:

However was not stable recently, and I'm trying to change endpoint to

This returns data, but completely ignores callback argument (which makes it unusable for jsonp scenario).

Neither does skimdb respects it:

Would really appreciate your help.



Indeed. This is actually a security problem if we enable it at the moment. Here's why:

If you go to, you will get an error that you're not allowed to perform views on that database, because you're not a server admin.

However, if you ran the same view, but via a script tag with &callback=steal_all_teh_secrets, then your evil code could steal private user credentials if you can get any npm server admin to visit your page. Since you can't (afaik?) configure couchdb to allow jsonp on ONE database, and not another.

We are currently working on making some slight modifications to the setup so that we can have a skimdb couch exposed in every which way as a downstream, so there's no chance of user credentials being leaked.

@isaacs isaacs closed this

Interesting. In that case can you enable CORS? It's just one header in the response Access-Control-Allow-Origin: *

This would really help


This is what needs to be changed in CouchDB config:

enable_cors = true

origins = *
@anvaka anvaka referenced this issue from a commit in anvaka/
@anvaka anvaka Added `fake` attribute
In case if is down during presentation
add fake argument to query string to get fake data visualized

See also: npm/npm-registry-couchapp#157

Cors will be allowed eventually, but not until we do some more security fixes and enhancements to prevent bad behavior from potentially causing trouble in the production registry. We'll announce on our blog when this is live.


jsonp will be enabled as well. But again, not until it can be done safely.


Hi @isaacs

I was working on npm visualization from a browser, and is down again. Is there any timeline of getting CORS enabled?

@anvaka anvaka referenced this issue in anvaka/

registry #1


Hi @isaacs, sorry for bugging you again. Is it safe to enable CORS now :)?


I am also working on jsonp or cors ajax to npm.

Listing and searching related npm modules.

Any work around for this?


I want this too, but there is apparently a security issue in the version of CouchDB we're running that makes it unsafe to enable CORS. I think @isaacs said something about the CouchDB CORS configuration being all-or-nothing, rather than granular, i.e. GET-only.

We are currently building a relational follower of the registry that will enable this. In the mean time, you'll have to use a proxy. If you're not doing tons of traffic with it, you can use mine or stand up your own version of it:


I believe @maxogden said that there is a dat stream for npm registry -- see


oh yea we have, it's experimental though so don't build anything production off of it


@maxogden I was hoping to use CORS or JSONP enabled endpoint to render dependencies graph here: - looks promising, thought it seems CORS/JSONP are not available here either?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.