Allow Cross-Origin requests
di opened this issue · 5 comments
From pypi/warehouse#4687:
What's the problem this feature will solve?
I'm a developer of pyodide, a port of CPython and the scientific Python stack to WebAssembly. One feature we'd love to add is the ability to install (pure Python) wheels directly from PyPI into the browser (see pyodide/pyodide#147). Unfortunately, this isn't currently possible, since requesting files fromfiles.pythonhosted.orgis blocked by CORS. There have been a number of PRs (e.g. #578) that have made CORS work well for the PyPI JSON API, and indeed this is working great for our scenario, so I wonder if you'd be willing to expand that to include the content itself.Describe the solution you'd like
Adding the appropriate headers to the responses onfiles.pythonhosted.orgto allow CORS requests. Primarily, this would be settingAccess-Control-Allow-Originto*, though there may be some other required details. I am not an expert in CORS issues.
I don't see any reason why we can't add headers similar to https://github.com/pypa/warehouse/blob/211c43c60aed72db1ace58986cd234d4743fed85/warehouse/legacy/api/json.py#L25-L42 here.
Hate to be rude and ping... Is there anything I can do to help move this along? This would be an absolutely killer feature for pyodide...
#7 has been successfully deployed but we're still not seeing the proper headers here, so reopening.
We need to do this at our CDN as most canonical file URLs bypass conveyor entirely. I created pypi/infra#44 which should take care of this.
Calling this resolved:
$ curl -IXGET https://files.pythonhosted.org/packages/51/5f/802a04274843f634469ef299fcd273de4438386deb7b8681dd059f0ee3b7/pip-19.1.tar.gz
HTTP/2 200
x-amz-id-2: XuFjUSXB/m8+xpPsP8xP+jtWQqFWioOjJq+E/CZXlFuZ8lEdRr3gi7KFaEc2ZndfbMEUXqhv18E=
x-amz-request-id: 80F24ECA72A83148
last-modified: Wed, 24 Apr 2019 02:34:09 GMT
etag: "22e3726252b492ce24312c2b43d0127f"
x-amz-version-id: DYFPI1O7qOip28PbA89HSxlZe87tPR.z
content-type: binary/octet-stream
server: AmazonS3
cache-control: max-age=365000000, immutable, public
accept-ranges: bytes
date: Sun, 12 May 2019 22:19:42 GMT
age: 1626332
x-served-by: cache-sea1035-SEA, cache-lax8632-LAX
x-cache: HIT, HIT
x-cache-hits: 1, 1
x-timer: S1557699583.557317,VS0,VE5
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: deny
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
x-robots-header: noindex
access-control-allow-methods: GET
access-control-allow-origin: *
content-length: 1334822