zeke
commented
7 years ago I think you've opened this issue in the right place, but here's some backstory from where the issue used to live: https://github.com/npm/npm-registry-couchapp/issues/108
Open legodude17 opened 7 years ago
zeke
commented
7 years ago I think you've opened this issue in the right place, but here's some backstory from where the issue used to live: https://github.com/npm/npm-registry-couchapp/issues/108
ashleygwilliams
commented
7 years ago hey! i dont think we're ready to offer CORs at this time because of security issues. you can however standup your own CORs anywhere (https://github.com/Rob--W/cors-anywhere) and that should work for ya!
zeke
commented
7 years ago It sounds like the security issues were only for write operations like PUT. What about enabling CORS just for read requests like GET and HEAD?
ashleygwilliams
commented
7 years ago i think it would be a great idea! it will not be solved immediately though, @zeke. in the meantime, the solution i shared can give @legodude17 a working solution right away.
legodude17
commented
7 years ago Awesome! Thank you for the quick response @ashleygwilliams!
WebReflection
commented
7 years ago I've followed this issue too and I didn't understand the problem ... you could enable only HEAD and GET operations, no need to enable POST, PUT, and DELETE too, right?
Please add HEAD and GET options for CORS, it'd be awesome, thank you!!!
legodude17
commented
7 years ago @WebReflection, @ashleygwilliams said that it would happen, but not right now.
WebReflection
commented
7 years ago I wasn't sure @ashleygwilliams was part of the team and there's no assignee yet, hence my post.
By any chance we can have an ETA for this? Thanks!
legodude17
commented
7 years ago You would have to ask @ashleygwilliams. 😄
WebReflection
commented
7 years ago mentioned indeed in my previous post ;-)
WebReflection
commented
7 years ago @ashleygwilliams any possible estimation time for this, if it'll ever happen?
broofa
commented
7 years ago FWIW, a not-horrible workaround is to use a CORS proxy service like http://cors-proxy.htmldriven.com/
That said, depending on 3rd-party services is less than ideal. E.g. if an app using them gets Reddit-hugged, it could bring the service down.
WebReflection
commented
7 years ago @broofa nobody wants to use third parts unless it's unpkg.com, which is already CORS enabled.
Unfortunately though, there's no way to know package details without redirection which is not sync XHR friendly for libraries/tools that need it.
rajsite
commented
6 years ago Dunno if I should make a separate issue but the use case I'm looking at is to just have package metadata (specifically dist-tags) served with CORS enabled; I'm not manipulating packages themselves.
Is there less of a risk for just having package metadata available with CORS enabled?
toporelo
commented
6 years ago toporelowery777@gmail.com
I would like to use the registry for a browser side
npmclient, but the npm registry does not have CORS enabled. Could you please add that? It would be very helpful.