- T91162: RFC: Shadow namespaces would be the nice solution, but it's probably not happening anytime soon.
- just add Allow-Origin headers to action=raw requests coming from a $wgCrossSiteAJAXdomains domain. As long as authenticated CORS is not allowed, that does not seem scary.
- CORS is already enabled for the API, meaning that the page content can be fetched by a revisions API request. That works if the data format is JSON as Vega allows specifying a path in the returned JSON object. There doesn't seem to be any way to tell Vega that something is a CSV etc. wrapped in JSON, though.
I don't think it's a bug per se, CORS is simply not enabled for anything other than the API (and images). For authenticated CORS, this is probably for the better (at the very least, access to Special:UserLogin should be forbidden) but basic CORS would be harmless as far as I can see.
@Tgr, it should work, but it doesn't. The "raw" can be replaced with wikiraw://www.mediawiki.org/Extension:Graph/data/us-10m-json -- the wikiraw: protocol uses API, but it doesn't yet work on server side graphoid, but it works for graph preview and interactive. Yet it still fails CORs. On the other hand, page views graph works fine, even though it makes a request to another domain: https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedia/all-access/user/Main_Page/daily/2015121722/2015122722
I'm unable to use dataset (JSON) from another wikipedia. (it works, but only using interactive mode)
Simple example - which is a copy of copy https://www.mediawiki.org/wiki/Extension:Graph/Demo/Map to hewiki (or other wiki, not dewiki):
- "url": "wikiraw://de.wikipedia.org/Modul:Graph//WorldMap-iso2.json" - FAIL
- "url": "wikiraw://www.mediawiki.org/Extension:Graph/Demo/RawData:WorldMap-iso2-json" - WORKS