Page MenuHomePhabricator
Create Task
Maniphest T208601

ForeignApi adds the origin parameter even if the other wiki is on the same domain
Closed, ResolvedPublic
Actions

Description

MediaWiki version: 1.31.1

More background on this issue here: https://phabricator.wikimedia.org/T207872

ForeignApi always adds the origin parameter, even if the other wiki is on the same domain. The issue is that no Origin header is sent if the remote API is on the same domain, and the request is rejected by MW because the origin parameter and the Origin header must be identical.

For example, I have VisualEditor 0.1.0 (13a585a) set up with the upload dialog configured ($wgForeignFileRepos and $wgForeignUploadTargets). The upload dialog won't load because two API queries (meta=userinfo&uiprop=groups%7Crights and meta=siteinfo&siprop=uploaddialog) specify the origin parameter but contain no Origin header.

If I comment out the bit that adds the origin parameter, I get the first part of the upload dialog to display, but when I select a file and submit it for upload, the POST API query fails because this time, it contains an Origin header (go figure).

So it looks like ForeignApi simply won't work with wikis on the same domain.

For the record, I'm using Chrome 70.0.3538.77 in case this is browser-dependent.

Details

SubjectRepoBranchLines +/-
mw.ForeignApi: don’t set origin for same-origin requestsmediawiki/coremaster+43 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

Ascotmonth created this task.Nov 2 2018, 3:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 2 2018, 3:44 PM
Aklapper edited projects, added MediaWiki-General; removed Platform Engineering.Nov 2 2018, 4:31 PM
matmarex edited projects, added MediaWiki-Action-API; removed MediaWiki-General.Nov 2 2018, 6:18 PM
matmarex subscribed.
Anomie edited projects, added JavaScript, MediaWiki-User-Interface; removed MediaWiki-Action-API.Nov 5 2018, 5:17 PM
Anomie subscribed.

MediaWiki-Action-API isn't the right tag for issues with the client library included in resources/src/, much like it's not the right tag for things like Pywikibot. Feel free to retag if a problem is identified in the API itself rather than in a client library.

Lucas_Werkmeister_WMDE subscribed.Sep 9 2019, 2:26 PM

One special case of this issue is that ForeignApi cannot be used to communicate with the current wiki; we’re encountering this in Wikidata-Bridge, where a Wikibase client wiki makes edits on a Wikibase repository wiki (which may or may not be the same wiki as the client wiki). We’d like to unconditionally use ForeignApi( repoApiUrl ) here, but due to this bug it currently doesn’t work if the client wiki is the repo wiki (or, I assume, if they’re on the same domain, though I haven’t tested that yet).

Lucas_Werkmeister_WMDE mentioned this in T230336: Create entity save action.Sep 9 2019, 2:28 PM
Lucas_Werkmeister_WMDE claimed this task.Sep 9 2019, 2:55 PM
Lucas_Werkmeister_WMDE added a project: Wikidata-Bridge-Sprint-4.
Lucas_Werkmeister_WMDE added a parent task: T226999: Save Wikidata edit when submitting client edit modal.
gerritbot added a comment.Sep 9 2019, 3:01 PM

Change 535206 had a related patch set uploaded (by Lucas Werkmeister (WMDE); owner: Lucas Werkmeister (WMDE)):
[mediawiki/core@master] mw.ForeignApi: don’t set origin for same-origin requests

https://gerrit.wikimedia.org/r/535206

gerritbot added a project: Patch-For-Review.Sep 9 2019, 3:01 PM
Lucas_Werkmeister_WMDE moved this task from To do to Peer Review on the Wikidata-Bridge-Sprint-4 board.Sep 9 2019, 3:03 PM
Pablo-WMDE added a project: Wikidata-Bridge-Sprint-5.Sep 11 2019, 8:56 AM
Pablo-WMDE moved this task from To do to Peer Review on the Wikidata-Bridge-Sprint-5 board.
WDoranWMF added a project: Platform Team Workboards (Clinic Duty Team).Sep 11 2019, 4:44 PM
WDoranWMF moved this task from Inbox to External Code Review Needed on the Platform Team Workboards (Clinic Duty Team) board.
gerritbot added a comment.Sep 12 2019, 5:34 PM

Change 535206 merged by jenkins-bot:
[mediawiki/core@master] mw.ForeignApi: don’t set origin for same-origin requests

https://gerrit.wikimedia.org/r/535206

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.23; 2019-09-17).Sep 12 2019, 6:01 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 12 2019, 6:10 PM
matmarex closed this task as Resolved.Sep 12 2019, 8:51 PM
Pablo-WMDE moved this task from Peer Review to Done on the Wikidata-Bridge-Sprint-5 board.Sep 13 2019, 7:14 AM
LucasWerkmeister mentioned this in T239518: Stop using, deprecate and remove Wikibase’s getLocationAgnosticMwApi.Nov 30 2019, 6:46 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL