Page MenuHomePhabricator

Enable CORS for error responses from ORES
Closed, ResolvedPublic


I'm getting this on itwiki when I visit the recent changes with ScoredRevisions enabled:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header 'Access-Control-Allow-Origin' missing).

Accessing the link directly in the browser shows this response:

  "error": {
    "code": "server overloaded",
    "message": "Cannot process your request because the server is overloaded.  Try again in a few minutes."

Event Timeline

He7d3r raised the priority of this task from to Needs Triage.
He7d3r updated the task description. (Show Details)
He7d3r added a subscriber: He7d3r.

Just ran a test and I was able to replicate this by

  1. Go to
  2. Open dev console
  3. Paste $.ajax("")

In chrome, I get:

XMLHttpRequest cannot load 
No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin '' is therefore not allowed access. The response had HTTP status code 400.

But if instead, I paste $.ajax(""), I get no error because the response is 200.

Looks like this is what defines our CORS:

@yuvipanda originally set this up, so maybe he has an idea for why it doesn't work with non-200 responses.

Ladsgroup added a project: Wikilabels.

Same happens with Wikilabels. It's pretty easy to fix.

Change 287566 had a related patch set uploaded (by Ladsgroup):
Enable CORS for ORES regardless of response code

Change 287566 merged by Yuvipanda:
ores: Enable CORS regardless of response code