Page MenuHomePhabricator

'Access-Control-Allow-Origin' error for cross-domain graph api requests
Closed, ResolvedPublic

Description

To test, edit the source of this article's api example, and hit "preview". The first graph is ok (it gets its data from the current domain, but the second is not. Both are ok when drawn by the graphoid service.

XMLHttpRequest cannot load https://en.wikipedia.org/w/api.php?generator=categorymembers&gcmtitle=Categ…at&action=query&gcmlimit=max&prop=categoryinfo&formatversion=2&format=json.
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.mediawiki.org' is therefore not allowed access.
=== Request
:host:en.wikipedia.org
:method:GET
:path:/w/api.php?generator=categorymembers&gcmtitle=Category%3APeople&gcmtype=subcat&action=query&gcmlimit=max&prop=categoryinfo&formatversion=2&format=json
:scheme:https
:version:HTTP/1.1
accept:*/*
accept-encoding:gzip, deflate, sdch
accept-language:en-US,en;q=0.8,ru;q=0.6
dnt:1
origin:https://www.mediawiki.org
referer:https://www.mediawiki.org/w/index.php?title=Extension:Graph/Demo&action=submit
user-agent:Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36

=== Response
Request Method:GET
Status Code:200 OK
Remote Address:[2620:0:862:ed1a::1]:443
Response Headers
accept-ranges:bytes
age:0
backend-timing:D=58213 t=1455554899058161
cache-control:private, must-revalidate, max-age=0
content-encoding:gzip
content-length:657
content-type:application/json; charset=utf-8
date:Mon, 15 Feb 2016 16:48:19 GMT
server:nginx/1.9.4
set-cookie:WMF-Last-Access=15-Feb-2016;Path=/;HttpOnly;Expires=Fri, 18 Mar 2016 12:00:00 GMT
set-cookie:CP=H2; Path=/
set-cookie:GeoIP=:::::v6; Path=/; Domain=.wikipedia.org
status:200 OK
strict-transport-security:max-age=31536000; includeSubDomains; preload
vary:Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization
version:HTTP/1.1
via:1.1 varnish, 1.1 varnish, 1.1 varnish
x-analytics:https=1;nocookies=1
x-cache:cp1052 pass+chfp(0), cp3041 miss+chfp(0), cp3040 frontend pass+chfp(0)
x-client-ip:  ...(ipv6)...
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-powered-by:HHVM/3.6.5
x-varnish:2720961253, 2521500878, 667911492

Details

Related Gerrit Patches:
mediawiki/extensions/Graph : masterFixed api origin parameter

Event Timeline

Yurik created this task.Feb 15 2016, 5:06 PM
Yurik raised the priority of this task from to High.
Yurik updated the task description. (Show Details)
Yurik added subscribers: Yurik, Anomie.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 15 2016, 5:06 PM

:path:/w/api.php?generator=categorymembers&gcmtitle=Category%3APeople&gcmtype=subcat&action=query&gcmlimit=max&prop=categoryinfo&formatversion=2&format=json

You forgot to include the origin GET parameter that the API requires in order to process a request as a CORS request. See also T62835, particularly T62835#1794676.

Change 270782 had a related patch set uploaded (by Yurik):
Fixed api origin parameter

https://gerrit.wikimedia.org/r/270782

Change 270782 merged by jenkins-bot:
Fixed api origin parameter

https://gerrit.wikimedia.org/r/270782

matmarex closed this task as Resolved.Sep 10 2016, 6:49 PM
matmarex added a subscriber: matmarex.

(Looks fixed to me.)