From 76237050ebc3651b6ae07309bd30b8845558a834 Mon Sep 17 00:00:00 2001
From: Roman Yurchak <rth.yurchak@gmail.com>
Date: Mon, 11 May 2020 10:06:33 +0200
Subject: [PATCH] Add documentation

---
 docs/pypi.md | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/docs/pypi.md b/docs/pypi.md
index 9f84af2a2..0e166ecb0 100644
--- a/docs/pypi.md
+++ b/docs/pypi.md
@@ -22,7 +22,7 @@ For use outside of Iodide (just Python), you can use the `then` method on the
 `Promise` that `micropip.install` returns to do work once the packages have
 finished loading:
 
-```
+```py
 def do_work(*args):
     import snowballstemmer
     stemmer = snowballstemmer.stemmer('english')
@@ -32,6 +32,31 @@ import micropip
 micropip.install('snowballstemmer').then(do_work)
 ```
 
+File integrity validation is implementing by checking the hash of the downloaded
+wheel against pre-recorded hash digests from the PyPi JSON API.
+
+## Installing wheels from arbitrary URLs
+
+Pure python wheels can also be installed from any URL with micropip,
+```py
+import micropip
+micropip.install(
+    'https://example.com/files/snowballstemmer-2.0.0-py2.py3-none-any.whl'
+)
+```
+
+The wheel name in the URL must follow [PEP 427 naming
+convention](https://www.python.org/dev/peps/pep-0427/#file-format), which will
+be the case if the wheels is made using standard python tools (`wheel`,
+`setup.py bdist_wheel`).
+
+The remote server must set Cross-Origin Resource Sharing (CORS) headers to
+allow access. Otherwise, you can prepend a CORS proxy to the URL. Note however
+that using third-party CORS proxies has security implications, particularly
+since we are not able to check the file integrity, unlike with installs from
+PyPi.
+
+
 ## Complete example
 
 Adapting the setup from the section on ["using pyodide from