Github CORS requirement clarification

[kumavis]

I've been asking Github to enable CORS headers to their HTTPS git servers, but they've refused to do it. This means that a browser can never clone from github because the browser will disallow XHR requests to the domain.
They do, however, offer a REST interface to the raw git data.
Using this I wrote a mixin for js-git that uses github as the backend store.

I am trying to understand if the lack of CORS support is limiting, if you are able to use the raw git data API. I guess this just necessitates the js-github adapter as opposed to using the normal git communication mechanisms. is it otherwise feature complete? Does this include pushing commits back to github?

[creationix]

You can do mist everything over the rest protocol, its just that its non standard buggy and really really slow for clones. Also for any sizable repo, you'd hit the rate limit long before finishing a full clone.

-----Original Message-----
From: "aaron" [email protected]
Sent: ‎9/‎17/‎2014 5:14 PM
To: "creationix/js-git" [email protected]
Subject: [js-git] Github CORS requirement clarification (#106)

I've been asking Github to enable CORS headers to their HTTPS git servers, but they've refused to do it. This means that a browser can never clone from github because the browser will disallow XHR requests to the domain.
They do, however, offer a REST interface to the raw git data.
Using this I wrote a mixin for js-git that uses github as the backend store.
I am trying to understand if the lack of CORS support is limiting, if you are able to use the raw git data API. I guess this just necessitates the js-github adapter as opposed to using the normal git communication mechanisms. is it otherwise feature complete? Does this include pushing commits back to github?
—
Reply to this email directly or view it on GitHub.=

[kumavis]

Ah ok, this does seem like a problem. Did the github team give any specific pushback on why they would not enable CORS?

[creationix]

No. I've never gotten a reason of why they won't do it. I either get no
response or they say they are looking into it. I've been trying for almost
18 months now.

On Thu, Sep 18, 2014 at 12:58 PM, aaron [email protected] wrote:

Ah ok, this does seem like a problem. Did the github team give any
specific pushback on why they would not enable CORS?

—
Reply to this email directly or view it on GitHub
#106 (comment).

[kumavis]

I sent an email and filed an issue on Isaac's unofficial github issue tracker isaacs/github#263

[davidgiven]

Is this still an issue?

[creationix]

As far as I know, they never responded. The joys of putting all our open source ecosystem in the hands of a closed-source company. Maybe we should reach out again now that they are part of Microsoft? Anyone have good contacts there?

[easrng]

try using no-cors fetch instead of XHR. It might not work do to restrictions though.

[davidgiven]

What is no-cors fetch?

[easrng]

Fetch is a new JavaScript function that supersedes XHR that has 2 modes: cors and no-cors.
cors mode functions like normal xhr, no-cors lets you request anything, but with limitations on what headers you can get and set.
See https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API

[creationix]

I thought no-cors mode didn't allow reading the response. That's pretty essential for this to work.

In addition, JavaScript may not access any properties of the resulting Response
https://developer.mozilla.org/en-US/docs/Web/API/Request/mode

[GeekyDeaks]

I may have misunderstood, but I think this would be limited to read-only anyway since CORS does not allow credentials for Access-Control-Allow-Origin: *

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

Are you are asking them to echo the Origin header?

neat module btw

[creationix]

Credentials would be needed for private repos or pushing changes. But currently I can't even read public repos without CORS enabled on their end.