Has CORS support in Git endpoints been considered?

[lawrencejob]

Select Topic Area

Product Feedback

Body

I am working on an app which works in the desktop and the browser to allow users to check out a repository, make changes, and check them back in as you expect.

To make it work in the browser I have been using the excellent isomorphic-git library. However I have encountered one area of architectural and security concern.

Because of CSP/CORS configuration in the Git endpoints, similar projects have had to proxy the requests, which involves giving deep access to a third party. I don't think most users realise the risk this poses. Any CORS proxy has complete access to the HTTP request without any of the protections afforded by HTTPS.

• Is there any way I as an API user can request CORS support in the API response specifically as an authenticated caller?
• Does this fall to the core Git project for support?
• Is there anything I can do to proxy requests without putting my users privacy at risk?

I can make this software a desktop app and sidestep this, or I can put my users at risk (and pay for the bandwidth of routing their request to some other service and add another dependency to my architecture), but if there's a first party solution to this problem I would be extremely keen to adopt it.

I completely understand if this has been discussed before (I can't find it if it's public), I would love to know if it's a) rejected b) in the pipeline or c) not been considered before.

Thanks for the great service.

Related:
https://github.com/orgs/community/discussions/49980
https://github.com/gr2m/github-api-wishlist/tree/master/wishlist/cors-for-adjacent-domains

sorry this was originally posted as "Product Feedback" but has to re-post it. is there a way to relabel this?