GitHub API Bug: Download repository zip CORS

This is a blocker for my application and seems to be causing issues for quite a few other consumers of the GitHub API. This is a CORS problem that should be simple to fix. There is no valid reason that this API should not function from the browser. Please consider addressing this.

[blocked] github.repos.archive() & octokit.repos.uploadAsset() not working in browser due to CORS settings on & · Issue #758 · octokit/rest.js

Hi there @jmcallister-msft :wave:

Thanks so much for joining the Community to get context for the behavior that you’re seeing. Some clarification here is that this is not a bug, but deliberate behavior.

The reason why it’s expected is that it prevents possible abuse of resource usage by downloading large assets from the browser directly.

As a workaround, we recommend making requests to a small proxy you’d build and maintain yourself (or use a public proxy for that purpose).

Beyond this, it would be amazing to both communicate your use case here in this thread, but also submit your feedback via this form:

Those requests get delivered directly to our PM teams for review and consideration.


I would also find this very useful. For my use case, the user needs to be able to download the repository without a server. If there is an issue with resources can’t GitHub set a max limit and chunk the zip file?


I filled out the feedback. Why not remove CORS restriction if authentication is provided on the request? Rate limit still applies here and can be attributed to whichever user request is being made on behalf of.

Our use case is for a product where customers can connect to GitHub and we store configuration files in the repo for them to create a kind of version control. Since customers have thousands of files in some cases and we make all requests from the browser, downloading each file one by one hits rate limit immediately.

Forcing our API to download the resources as a proxy will hurt latency and is sub-optimal design given all other requests are made from the browser.


Is there an update to this issue?