codeload.github.com CORS Header issues

Hello,

I am requesting a zipball in the form of a request to:
 api.github.com/repos/<user>/<repo>/zipball

This then redirects to a url in the form:
 codeload.github.com/<user>/<repo>/legacy.zip/develop

However this request fails for me due to:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://codeload.github.com/<user>/<repo>/legacy.zip/develop. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://render.githubusercontent.com’).

Is there something obvious I am missing, or reason for the CORS header not being * ?

2 Likes

Here’s what I get when I use HTTPie to download the zipball of atom/atom using the endpoint you describe:

$ http https://api.github.com/repos/atom/atom/zipball
HTTP/1.1 302 Found
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type
Cache-Control: public, must-revalidate, max-age=0
Content-Length: 0
Content-Security-Policy: default-src 'none'
Content-Type: text/html;charset=utf-8
Date: Mon, 08 Apr 2019 22:05:45 GMT
Expires: Mon, 08 Apr 2019 22:05:45 GMT
Location: https://codeload.github.com/atom/atom/legacy.zip/master
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Server: GitHub.com
Status: 302 Found
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-GitHub-Request-Id: 8909:9C93:636B:76DE:5CABC5B8
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 60
X-RateLimit-Reset: 1554764745
X-XSS-Protection: 1; mode=block

But if I use -F to follow redirects, I don’t run into the error you’re describing:

$ http -F https://api.github.com/repos/atom/atom/zipball
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://render.githubusercontent.com
Content-Disposition: attachment; filename=atom-atom-v1.10.0-beta0-7038-g24c0503.zip
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
Date: Mon, 08 Apr 2019 22:09:37 GMT
ETag: "24c0503617095decad89a23a756630498730da32"
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: Authorization,Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Geo-Block-List:
X-GitHub-Request-Id: 8EAC:3E58:013A:0C59:5CABC6A1
X-XSS-Protection: 1; mode=block



+-----------------------------------------+
| NOTE: binary data not shown in terminal |
+-----------------------------------------+

So I’m not sure what might be going wrong for you, but I also tested this in a browser and the file downloaded fine too.

If you’re still running into this problem, can you give some information as to how exactly you’re making the request?

I am making the request using a javascript fetch request.

It should be compatible as mentioned here

The code is:

let zipball = await fetch("https://api.github.com/repos/atom/atom/zipball")
			.then(r=>r.blob())
1 Like

I have the exact same problem, would it be possible to open CORS for codeload.github.com?

@hakilebara If you mean change the CORS settings, I don’t believe the security team would agree to that :grinning:

I mean, if the settings aren’t changed, then the API is a bit useless…

There have been a precedent: https://github.com/octokit/rest.js/issues/817 and the GitHub security team did change the CORS settings.

It’s affecting a bunch of people: https://github.com/octokit/rest.js/issues/1417, https://github.com/octokit/rest.js/issues/758, etc.