CORS Header issues


I am requesting a zipball in the form of a request to:<user>/<repo>/zipball

This then redirects to a url in the form:<user>/<repo>/

However this request fails for me due to:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at<user>/<repo>/ (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘’).

Is there something obvious I am missing, or reason for the CORS header not being * ?


Here’s what I get when I use HTTPie to download the zipball of atom/atom using the endpoint you describe:

$ http
HTTP/1.1 302 Found
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type
Cache-Control: public, must-revalidate, max-age=0
Content-Length: 0
Content-Security-Policy: default-src 'none'
Content-Type: text/html;charset=utf-8
Date: Mon, 08 Apr 2019 22:05:45 GMT
Expires: Mon, 08 Apr 2019 22:05:45 GMT
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Status: 302 Found
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-GitHub-Request-Id: 8909:9C93:636B:76DE:5CABC5B8
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 60
X-RateLimit-Reset: 1554764745
X-XSS-Protection: 1; mode=block

But if I use -F to follow redirects, I don’t run into the error you’re describing:

$ http -F
HTTP/1.1 200 OK
Content-Disposition: attachment;
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
Date: Mon, 08 Apr 2019 22:09:37 GMT
ETag: "24c0503617095decad89a23a756630498730da32"
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: Authorization,Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-GitHub-Request-Id: 8EAC:3E58:013A:0C59:5CABC6A1
X-XSS-Protection: 1; mode=block

| NOTE: binary data not shown in terminal |

So I’m not sure what might be going wrong for you, but I also tested this in a browser and the file downloaded fine too.

If you’re still running into this problem, can you give some information as to how exactly you’re making the request?

I am making the request using a javascript fetch request.

It should be compatible as mentioned here

The code is:

let zipball = await fetch("")
1 Like

I have the exact same problem, would it be possible to open CORS for

@hakilebara If you mean change the CORS settings, I don’t believe the security team would agree to that :grinning:

I mean, if the settings aren’t changed, then the API is a bit useless…

There have been a precedent: and the GitHub security team did change the CORS settings.

It’s affecting a bunch of people:,, etc.