Rooba
/
pyodide
mirror of https://github.com/pyodide/pyodide.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove CORS proxy in micropip (#650)

This commit is contained in:
Roman Yurchak 2020-05-10 15:47:09 +02:00 committed by GitHub
parent d7c0879cc3
commit faee135865
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 2 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/pypi.md
View File

@ -2,15 +2,6 @@
Pyodide has experimental support for installing pure Python wheels from PyPI.
**IMPORTANT:** Since the packages hosted at `files.pythonhosted.org` don't
support CORS requests, we use a CORS proxy at `cors-anywhere.herokuapp.com` to
get package contents. This makes a man-in-the-middle attack on the package
contents possible. However, this threat is minimized by the fact that the
integrity of each package is checked using a hash obtained directly from
`pypi.org`. We hope to have this improved in the future, but for now, understand
the risks and don't use any sensitive data with the packages installed using
this method.
For use in Iodide:
```

11
packages/micropip/micropip/micropip.py
View File

@ -93,7 +93,7 @@ class _WheelInstaller:
class _RawWheelInstaller(_WheelInstaller):
def fetch_wheel(self, name, fileinfo):
return 'https://cors-anywhere.herokuapp.com/' + fileinfo['url']
return fileinfo['url']
class _PackageManager:
@ -229,15 +229,6 @@ def install(requirements):
Returns a Promise that resolves when all packages have downloaded and
installed.
**IMPORTANT:** Since the packages hosted at `files.pythonhosted.org` don't
support CORS requests, we use a CORS proxy at `cors-anywhere.herokuapp.com`
to get package contents. This makes a man-in-the-middle attack on the
package contents possible. However, this threat is minimized by the fact
that the integrity of each package is checked using a hash obtained
directly from `pypi.org`. We hope to have this improved in the future, but
for now, understand the risks and don't use any sensitive data with the
packages installed using this method.
"""
def do_install(resolve, reject):
PACKAGE_MANAGER.install(

2
packages/micropip/test_micropip.py
View File

@ -12,7 +12,7 @@ def test_install_simple(selenium_standalone):
for i in range(10):
if selenium_standalone.run(
"os.path.exists"
"('/lib/python3.6/site-packages/snowballstemmer')"
"('/lib/python3.7/site-packages/snowballstemmer')"
):
break
else: