From faee13586536d07e132ece1147664f7f856e6a9a Mon Sep 17 00:00:00 2001
From: Roman Yurchak <rth.yurchak@gmail.com>
Date: Sun, 10 May 2020 15:47:09 +0200
Subject: [PATCH] Remove CORS proxy in micropip (#650)

---
 docs/pypi.md                           |  9 ---------
 packages/micropip/micropip/micropip.py | 11 +----------
 packages/micropip/test_micropip.py     |  2 +-
 3 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/docs/pypi.md b/docs/pypi.md
index b1066efad..9f84af2a2 100644
--- a/docs/pypi.md
+++ b/docs/pypi.md
@@ -2,15 +2,6 @@
 
 Pyodide has experimental support for installing pure Python wheels from PyPI.
 
-**IMPORTANT:** Since the packages hosted at `files.pythonhosted.org` don't
-support CORS requests, we use a CORS proxy at `cors-anywhere.herokuapp.com` to
-get package contents. This makes a man-in-the-middle attack on the package
-contents possible. However, this threat is minimized by the fact that the
-integrity of each package is checked using a hash obtained directly from
-`pypi.org`. We hope to have this improved in the future, but for now, understand
-the risks and don't use any sensitive data with the packages installed using
-this method.
-
 For use in Iodide:
 
 ```
diff --git a/packages/micropip/micropip/micropip.py b/packages/micropip/micropip/micropip.py
index 30f9353fa..696447451 100644
--- a/packages/micropip/micropip/micropip.py
+++ b/packages/micropip/micropip/micropip.py
@@ -93,7 +93,7 @@ class _WheelInstaller:
 
 class _RawWheelInstaller(_WheelInstaller):
     def fetch_wheel(self, name, fileinfo):
-        return 'https://cors-anywhere.herokuapp.com/' + fileinfo['url']
+        return fileinfo['url']
 
 
 class _PackageManager:
@@ -229,15 +229,6 @@ def install(requirements):
 
     Returns a Promise that resolves when all packages have downloaded and
     installed.
-
-    **IMPORTANT:** Since the packages hosted at `files.pythonhosted.org` don't
-    support CORS requests, we use a CORS proxy at `cors-anywhere.herokuapp.com`
-    to get package contents. This makes a man-in-the-middle attack on the
-    package contents possible. However, this threat is minimized by the fact
-    that the integrity of each package is checked using a hash obtained
-    directly from `pypi.org`. We hope to have this improved in the future, but
-    for now, understand the risks and don't use any sensitive data with the
-    packages installed using this method.
     """
     def do_install(resolve, reject):
         PACKAGE_MANAGER.install(
diff --git a/packages/micropip/test_micropip.py b/packages/micropip/test_micropip.py
index 74decd316..612411df2 100644
--- a/packages/micropip/test_micropip.py
+++ b/packages/micropip/test_micropip.py
@@ -12,7 +12,7 @@ def test_install_simple(selenium_standalone):
     for i in range(10):
         if selenium_standalone.run(
                 "os.path.exists"
-                "('/lib/python3.6/site-packages/snowballstemmer')"
+                "('/lib/python3.7/site-packages/snowballstemmer')"
         ):
             break
         else: