jsonp is not working for registry.npmjs.org #157
Comments
|
Indeed. This is actually a security problem if we enable it at the moment. Here's why: If you go to https://skimdb.npmjs.com/_users/_design/_auth/_view/listAll?startkey=%22org.couchdb.user:isaacs%22&limit=1, you will get an error that you're not allowed to perform views on that database, because you're not a server admin. However, if you ran the same view, but via a script tag with We are currently working on making some slight modifications to the setup so that we can have a skimdb couch exposed in every which way as a downstream, so there's no chance of user credentials being leaked. |
|
Interesting. In that case can you enable CORS? It's just one header in the response This would really help |
|
This is what needs to be changed in CouchDB config: |
In case if isaacs.iriscouch.com is down during presentation add fake argument to query string to get fake data visualized See also: npm/npm-registry-couchapp#157
|
Cors will be allowed eventually, but not until we do some more security fixes and enhancements to prevent bad behavior from potentially causing trouble in the production registry. We'll announce on our blog when this is live. |
|
jsonp will be enabled as well. But again, not until it can be done safely. |
|
Hi @isaacs I was working on npm visualization from a browser, and |
|
Hi @isaacs, sorry for bugging you again. Is it safe to enable CORS now :)? |
|
I am also working on jsonp or cors ajax to npm. Listing and searching related npm modules. Any work around for this? |
|
I want this too, but there is apparently a security issue in the version of CouchDB we're running that makes it unsafe to enable CORS. I think @isaacs said something about the CouchDB CORS configuration being all-or-nothing, rather than granular, i.e. We are currently building a relational follower of the registry that will enable this. In the mean time, you'll have to use a proxy. If you're not doing tons of traffic with it, you can use mine or stand up your own version of it: https://github.com/zeke/npm-registry-cors-proxy |
|
I believe @maxogden said that there is a dat stream for |
|
oh yea we have http://npm.dathub.org/, it's experimental though so don't build anything production off of it |
|
@maxogden I was hoping to use CORS or JSONP enabled endpoint to render dependencies graph here: https://github.com/anvaka/npmgraph.an http://npm.dathub.org/api/rows?limit=10 - looks promising, thought it seems CORS/JSONP are not available here either? |
|
It supports CORS GET, but not JSONP On Wed, Jan 28, 2015 at 8:53 PM, Andrei Kashcha [email protected]
|
|
For visitors: |
Hello,
I'm trying to use npm from a browser.
This returns valid jsonp response:
http://isaacs.iriscouch.com/registry/_design/scratch/_view/byField?callback=foo&limit=10
However
isaacs.iriscouch.comwas not stable recently, and I'm trying to change endpoint toregistry.npmjs.org:http://registry.npmjs.org/-/_view/byField?callback=foo&limit=10
This returns data, but completely ignores callback argument (which makes it unusable for jsonp scenario).
Neither does skimdb respects it:
https://skimdb.npmjs.com/registry/_design/scratch/_view/byField?callback=foo&limit=10
Would really appreciate your help.
Cheers,
Andrei
The text was updated successfully, but these errors were encountered: