Missing CORS header, cannot check latest nightly from a website

[pimlie]

Not sure if this is intentional or not, but the server is not returning a Access-Control-Allow-Origin header which causes requests to nightly.link from a webpage to fail.

Would it be possible to add proper CORS settings? F.e. to allow any website to connect with the api the server should return at minimum a access-control-allow-origin: * header

[oprypin]

As far as I'm aware, it is better this way, maybe a bit less possibilities for malware distribution and other abuse.

The best thing you can do to support your point is to describe the exact use case you have.

From the short description I've seen, the request is a bit strange. You want to call nightly.link as an API? Which all it will do is call GitHub's API for you but slower and without uptime guarantees?

[pimlie]

The use case for this is that I would like to be able to update the firmware of a device thru the Web Serial API.

So the flow would be:

• Open webpage
• Connect/pair device through web serial
• Check device firmware
• Check latest available fw
• If newer fw available download artifact
• Update firmware

FWIW: The Github API itself returns access-control-allow-origin: * too :)

[oprypin]

I'm sorry but it's a bit horrifying- surely the firmware of a device shouldn't be updated based on a website that just some random guy on the internet is running for fun

[pimlie]

You are not giving yourself enough credits I guess ;)

Not sure why this would be horrifying though in principal, using the Serial and/or USB API's in Google Chrome is used quite often. See f.e. https://esphome.github.io/esp-web-tools/

Feel free to close this issue if you don't want to add support, thanks!

[oprypin]

I don't want to add support. 🙁 It is unpredictable which security holes that may enable.