Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 2
Message 1 of 3 CORS Header issues


I am requesting a zipball in the form of a request to:<user>/<repo>/zipball

This then redirects to a url in the form:<user>/<repo>/


However this request fails for me due to:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at<user>/<repo>/ (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘’).


Is there something obvious I am missing, or reason for the CORS header not being * ?

2 Replies
Community Manager
Message 2 of 3

Re: CORS Header issues

Here's what I get when I use HTTPie to download the zipball of atom/atom using the endpoint you describe:


$ http
HTTP/1.1 302 Found Access-Control-Allow-Origin: * Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type Cache-Control: public, must-revalidate, max-age=0 Content-Length: 0 Content-Security-Policy: default-src 'none' Content-Type: text/html;charset=utf-8 Date: Mon, 08 Apr 2019 22:05:45 GMT Expires: Mon, 08 Apr 2019 22:05:45 GMT Location: Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin Server: Status: 302 Found Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: deny X-GitHub-Request-Id: 8909:9C93:636B:76DE:5CABC5B8 X-RateLimit-Limit: 60 X-RateLimit-Remaining: 60 X-RateLimit-Reset: 1554764745 X-XSS-Protection: 1; mode=block

But if I use `-F` to follow redirects, I don't run into the error you're describing:


$ http -F
HTTP/1.1 200 OK
Content-Disposition: attachment;
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/zip
Date: Mon, 08 Apr 2019 22:09:37 GMT
ETag: "24c0503617095decad89a23a756630498730da32"
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: Authorization,Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-GitHub-Request-Id: 8EAC:3E58:013A:0C59:5CABC6A1
X-XSS-Protection: 1; mode=block

| NOTE: binary data not shown in terminal |

So I'm not sure what might be going wrong for you, but I also tested this in a browser and the file downloaded fine too.


If you're still running into this problem, can you give some information as to how exactly you're making the request?

Copilot Lvl 2
Message 3 of 3

Re: CORS Header issues

I am making the request using a javascript fetch request.

It should be compatible as mentioned here


The code is:


let zipball = await fetch("")