I'm here to request CORS to be enabled for sites hosted at Labs (*.wmflabs.org) and Tool Labs (tools.wmflabs.org). Personally, it'll be great for those tools hosted here that require MediaWiki API call can be served via JSON (and not JSONP, cause JSON requests can be cached). Aren't tools hosted at Labs & Tool Labs more or less trusted?
Labs (*.wmflabs.org) and Tool Labs (tools.wmflabs.org)
Tools is part of labs, and matches the first domain.
I think this is one of the security-sensitive settings (but don't remember the exact implications off the top of my head), and it has DO NOT add domains here that aren't WMF wikis unless you really know what you're doing as a comment.
Aren't tools hosted at Labs & Tool Labs more or less trusted?
Nope, those are not trusted.
So I would strongly oppose that, and recommend we close this as declined.
If we have a specific tool that is commonly used, and need to be more deeply integrated into the project sites, then we should consider converting that to an extension, where it will receive a security review, etc.
Alternatively, OAuth can be used as well.
Aside from accessing APIs as a logged-in user, I think there is a very valid use case here for accessing the APIs as a logged-out user. Simple things like siteinfo, namespaces, search, revision queries etc. For ajaxy tools that want some of this stuff it's really akward to have to build your own API to proxy requests to wmf domains from a tool backend, rather than directly.
This data is already exposed currently, but it requires adding a callback parameter which triggers the JSON-P format and the associated session-less API mode. However these callbacks are typically random temporary strings and make the url uncachable.
Having a way to trigger &origin=* (CORS) for arbitrary domains and get the anonymous mode would be very valuable. We currently don't do this because we implemented the anonymous/JSON-P mode way before CORS was a common feature in web browsers. Nowadays it's nearly ubiquitous.