Cross-Origin Resource Sharing on GitHub Pages

cors github github-pages

EDIT: Yay! Looks like GitHub Pages now supports CORS: https://twitter.com/invisiblecomma/status/575219895308324864

This can be verified by curling a request to enable-cors.org (which is hosted on GitHub Pages). Running this command: curl -v enable-cors.org > /dev/null returns an Access-Control-Allow-Origin: * header.

There's no way to support CORS on GitHub Pages, though I'd love to see this feature. We host http://enable-cors.org on GitHub Pages, and we can't enable CORS on the site itself :)

Update

As noted by @Styx GitHub Pages now always redirect to HTTPS. So if you want to confirm for yourself that all origins are allowed, for a particular site using GitHub pages, try curl with -L (to follow the redirects that are involved). E.g.:

$ curl -vL square.github.io/okhttp 2>&1 | fgrep -i access-control-allow-origin

You can use a CORS proxy.
http://cors.io/ worked for me.

Normal request:

$.getJSON('https://blockchain.info/stats?format=json',function(data){})

Request with proxy (just prepend http://cors.io/? on the url)

$.getJSON('http://cors.io/?https://blockchain.info/stats?format=json',function(data){})

UPDATE: The API doc have been updated, you just need to prefix your url with https://cors.io/?.


FYI it looks like GitHub Pages now support CORS (at least in some situations). In this case custom domains with bare URLs (no www or github sub domain). This means using an A record and avoiding their caching CDN.

When I go to enable-cors.org now I see the Access-Control-Allow-Origin: * header returned on all resources (from the network tab of the browser developer tools). In both Chrome and Firefox.

I use this at https://isthetubeonstrike.com to access a JSON file cross domain from a mobile web app. The SSL/TLS is provided by going through CloudFlare BTW.


What I'm getting from having put in a support ticket a few days ago is that CORS requests to GitHub Pages are perfectly fine.

Getting content from another page, which is what the original post seems to be asking about, means that the other page's server has to have CORS requests set up or otherwise it will block your requests. Typically sites have public APIs to work around this issue if there is a real need to get content from them (e.g., MediaWiki for Wikipedia).

Related

What is the issue CORS is trying to solve?
pipe both, stdout and stderr in the fish shell
Why does {{undefined + number}} return number?
What is the most clever and easy approach to sync data between multiple entities?
Can I do a dry run with homebrew to see the details of what will be installed and how?
Creating page headers and footers using CSS for print
Are there any offline HTML CSS JavaScript editors like JSFiddle, jsbin, codepen etc.? [closed]
What is the difference between the click and tap events?
Writing a Python extension in Go (Golang)
CSS transition from `display: none` on class change?
Angular's use of Inline JavaScript in HTML attributes is not "bad practice"? [closed]
Gnuplot date/time in x axis