Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 2
Message 1 of 3

codeload.github.com CORS Header issues

Hello,

I am requesting a zipball in the form of a request to:
 api.github.com/repos/<user>/<repo>/zipball

This then redirects to a url in the form:
 codeload.github.com/<user>/<repo>/legacy.zip/develop

 

However this request fails for me due to:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://codeload.github.com/<user>/<repo>/legacy.zip/develop. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://render.githubusercontent.com’).

 

Is there something obvious I am missing, or reason for the CORS header not being * ?

2 Replies
Highlighted
Community Manager
Message 2 of 3

Re: codeload.github.com CORS Header issues

Here's what I get when I use HTTPie to download the zipball of atom/atom using the endpoint you describe:

 

$ http https://api.github.com/repos/atom/atom/zipball
HTTP/1.1 302 Found Access-Control-Allow-Origin: * Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type Cache-Control: public, must-revalidate, max-age=0 Content-Length: 0 Content-Security-Policy: default-src 'none' Content-Type: text/html;charset=utf-8 Date: Mon, 08 Apr 2019 22:05:45 GMT Expires: Mon, 08 Apr 2019 22:05:45 GMT Location: https://codeload.github.com/atom/atom/legacy.zip/master Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin Server: GitHub.com Status: 302 Found Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: deny X-GitHub-Request-Id: 8909:9C93:636B:76DE:5CABC5B8 X-RateLimit-Limit: 60 X-RateLimit-Remaining: 60 X-RateLimit-Reset: 1554764745 X-XSS-Protection: 1; mode=block

But if I use `-F` to follow redirects, I don't run into the error you're describing:

 

$ http -F https://api.github.com/repos/atom/atom/zipball
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://render.githubusercontent.com
Content-Disposition: attachment; filename=atom-atom-v1.10.0-beta0-7038-g24c0503.zip
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
Date: Mon, 08 Apr 2019 22:09:37 GMT
ETag: "24c0503617095decad89a23a756630498730da32"
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: Authorization,Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Geo-Block-List:
X-GitHub-Request-Id: 8EAC:3E58:013A:0C59:5CABC6A1
X-XSS-Protection: 1; mode=block



+-----------------------------------------+
| NOTE: binary data not shown in terminal |
+-----------------------------------------+

So I'm not sure what might be going wrong for you, but I also tested this in a browser and the file downloaded fine too.

 

If you're still running into this problem, can you give some information as to how exactly you're making the request?

Copilot Lvl 2
Message 3 of 3

Re: codeload.github.com CORS Header issues

I am making the request using a javascript fetch request.

It should be compatible as mentioned here

 

The code is:

 

let zipball = await fetch("https://api.github.com/repos/atom/atom/zipball")
			.then(r=>r.blob())