add support for CORS headers

[maks]

I'm working on a npm client to use in-browser and would like to be able to access registry.npmjs.org from a browser webpage without using a proxy.

[isaacs]

@iriscouch @jhs Is it possible to enable cors headers on couchdb? Config somewhere?

[isaacs]

I think I might have just enabled them. That was super easy. Can you test and see if it works?

[maks]

Wow thanks so much for such a quick response!!
A quick google found this: http://wiki.apache.org/couchdb/CORS#Enabling_CORS
but I've never used couch before and couldn't see where that config file is in npm src here

[maks]

I just tried http://registry.npmjs.org/bops/latest but can't see the cors headers?

[maks]

I should also mention I am testing using curl -Ii and with http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&server_url=http%3A%2F%2Fregistry.npmjs.org%2Fbops%2Flatest&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote

[isaacs]

Yeah, I think I didn't do something. I'll dig into it later. People have
asked for this a few times, so it'd be good to just do it.

On Thursday, May 30, 2013, Maksim Lin wrote:

I should also mention I am testing using curl -II and with
http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&server_url=http%3A%2F%2Fregistry.npmjs.org%2Fbops%2Flatest&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/108#issuecomment-18717481
.

[maks]

@isaacs really appreciate you looking at this so quickly! Anytime you get a chance to look into it is fine.

[kumavis]

+1

[maks]

@isaacs would you have time to look into this again? with @dominictarr npmd now available it would be useful to try using it even in-browser.

[isaacs]

@jhs Maybe you could look at this? Did I do something wrong?

I've enabled cors for methods = GET, HEAD (since allowing PUTs and DELETEs would be stupidly dangerous) and for all hosts. However, it's not sending the proper headers, as far as I can tell.

[isaacs]

Oh, hahaha, nevermind. The issue was that I'd set origin: * instead of origins: *. Note the plural on "origins".

Can you try it now?

[nathanboktae]

CORS headers aren't there still. Try $.ajax('https://registry.npmjs.org/mocha') in the console here on github:

$.ajax('https://registry.npmjs.org/mocha')
Object {readyState: 1, getResponseHeader: function, getAllResponseHeaders: function, setRequestHeader: function, overrideMimeType: function…}
XMLHttpRequest cannot load https://registry.npmjs.org/mocha. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://github.com' is therefore not allowed access.

[maks]

I wonder if the change the @isaacs made got backed out some how because I do remember trying it after it got closed and it was working then for me but yes now the headers are gone again.

[eiriksm]

+1
Also working on something that queries npm through the browser and would love to avoid proxying :)

[onaclov2000]

Any chance this has been resolved? I have been playing with it a little (via angularjs) but can't seem to get around the CORs issue.

Thank you

[pbrinkmeier]

Please add CORS headers, that would just make everything easier for me.

[maxleiko]

👍

[huafu]

👍

[deathcap]

👍 would be great if CORS could be (re-?)enabled to open up many new possibilities for web-based interaction with the NPM registry without proxy hacks.

For reference, this is only a CouchDB configuration change (no code change), in case anyone wants to enable CORS on their own npm-registry-couchapp instance, something like this works:

curl -X PUT http://admin:password@localhost:5984/_config/httpd/enable_cors -d '"true"'
curl -X PUT http://admin:password@localhost:5984/_config/cors/origins -d '"*"'
curl -X PUT http://admin:password@localhost:5984/_config/cors/methods -d '"GET, HEAD"'

then test that it is enabled with:

curl -i -H 'Origin: example.com' registry.npmjs.org | grep Access-Control

curl -i -H 'Origin: example.com' localhost:5984 | grep Access-Control
…
Access-Control-Expose-Headers: Cache-Control, Content-Type, Server
Access-Control-Allow-Origin: example.com

[osslate]

👍

[kumavis]

thanks @deathcap!

[kumavis]

Here is a CORS proxy service max runs if anyone needs a temporary workaround http://cors.maxogden.com

[manosim]

+1 Trying to make a request: XMLHttpRequest cannot load https://registry.npmjs.org/less. Origin http://192.168.1.68:8080 is not allowed by Access-Control-Allow-Origin.

[xixixao]

+1

[zahhak]

👍

[kumavis]

👍

[luisherranz]

Want this! 👍

[alexanderbartels]

👍

[cbornet]

👍

[cbornet]

@isaacs any chance this can be enabled again or is there a security issue preventing this ?

[zeke]

Hey @ceejbot, @bcoe, @seldo, @isaacs. Any progress on this? Would really love to migrate people off my proxy app.

[bcoe]

We had CORS enabled for a period of time, but it unfortunately raised some security concerns: allowing folks to perform arbitrary puts from the browser, opening us up to potential DDoS attacks, etc. We opted to turn CORS back off due to these concerns.

Since this time, we have gradually moved away from adding any updates to npm-registry-couchapp; the codebase has gradually become deprecated as we've moved to a more distributed architecture.

I've officially added a deprecation notice to the repo:

#252

And I'd love for folks to instead join the conversation here:

https://github.com/npm/public-api

Let's decide on what a public API for npm should look like.

[vadzim]

For visitors:
You can use unpkg (https://unpkg.com/) instead of https://npmjs.com/
Unpkg is a CDN and sets CORS

[Jolg42]

Another workaround would be to use npms https://api.npms.io/v2/package/prisma

[jasonkuhrt]

@vadzim I don't see a way to get the npm package metadata from unpkg?

@Jolg42 that doesn't offer the npm package metadata either?

[Jolg42]

@jasonkuhrt npms offers the same with some differences but mostly the same with extra fields. Though npms had issues in the past with stale data.

[Jolg42]

The discussion continues here since this issue is closed and not monitored I guess.

npm/feedback#117

[jasonkuhrt]

This works for us for now https://npmjs.cf/