Page MenuHomePhabricator

ForeignApi adds the origin parameter even if the other wiki is on the same domain
Closed, ResolvedPublic

Description

MediaWiki version: 1.31.1

More background on this issue here: https://phabricator.wikimedia.org/T207872

ForeignApi always adds the origin parameter, even if the other wiki is on the same domain. The issue is that no Origin header is sent if the remote API is on the same domain, and the request is rejected by MW because the origin parameter and the Origin header must be identical.

For example, I have VisualEditor 0.1.0 (13a585a) set up with the upload dialog configured ($wgForeignFileRepos and $wgForeignUploadTargets). The upload dialog won't load because two API queries (meta=userinfo&uiprop=groups%7Crights and meta=siteinfo&siprop=uploaddialog) specify the origin parameter but contain no Origin header.

If I comment out the bit that adds the origin parameter, I get the first part of the upload dialog to display, but when I select a file and submit it for upload, the POST API query fails because this time, it contains an Origin header (go figure).

So it looks like ForeignApi simply won't work with wikis on the same domain.

For the record, I'm using Chrome 70.0.3538.77 in case this is browser-dependent.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 2 2018, 3:44 PM
matmarex added a subscriber: matmarex.
Anomie added a subscriber: Anomie.

MediaWiki-API isn't the right tag for issues with the client library included in resources/src/, much like it's not the right tag for things like Pywikibot. Feel free to retag if a problem is identified in the API itself rather than in a client library.

One special case of this issue is that ForeignApi cannot be used to communicate with the current wiki; we’re encountering this in Wikidata-Bridge, where a Wikibase client wiki makes edits on a Wikibase repository wiki (which may or may not be the same wiki as the client wiki). We’d like to unconditionally use ForeignApi( repoApiUrl ) here, but due to this bug it currently doesn’t work if the client wiki is the repo wiki (or, I assume, if they’re on the same domain, though I haven’t tested that yet).

Change 535206 had a related patch set uploaded (by Lucas Werkmeister (WMDE); owner: Lucas Werkmeister (WMDE)):
[mediawiki/core@master] mw.ForeignApi: don’t set origin for same-origin requests

https://gerrit.wikimedia.org/r/535206

Change 535206 merged by jenkins-bot:
[mediawiki/core@master] mw.ForeignApi: don’t set origin for same-origin requests

https://gerrit.wikimedia.org/r/535206

matmarex closed this task as Resolved.Sep 12 2019, 8:51 PM