Page MenuHomePhabricator
Create Task
Maniphest T232176

Enable cross-origin resource sharing (CORS) for requests in Core REST API
Closed, ResolvedPublic
Actions

Description

Origin

The Access-Control-Allow-Origin response header should be set for all requests and given a default value of *. for wikis that are not on an intranet (i.e. behind a firewall). It is completely safe to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet.

Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically.

Proposed Solution
Add Access-Control-Allow-Origin: * to all requests (config option to disable)

Credentials

If the API allows for authorization with the authorization code grant (or some other authorization mechanism that and does not force the client app to expose it's own secrets), then it is safe to add Access-Control-Allow-Headers with a value of Authorization (this header only needs to be added as as response to an OPTIONS request). This would allow non-whitelisted origins to make cross-origin authenticated requests.

If the API allows for browser-based authorization (i.e. Cookies) then the API will need to use the origin allowlist like the Action API does and add the Access-Control-Allow-Credentials to an OPTIONS request from those whitelisted origins.

Regardless, since Authorization and Cookie headers bypass the cache, it is not necessary to Vary the non-OPTIONS request by Origin.

Proposed Solution 1
Allow cross-origin requests using OAuth (requires OAuth2's authorization code grant):

  1. Add Access-Control-Allow-Origin: * to all OPTIONS requests
  2. Add Access-Control-Allow-Headers: Authorization, Content-Type to all OPTIONS requests
  3. Add Access-Control-Allow-Methods: * to all OPTIONS requests

Proposed Solution 2
Allow cross-origin requests using Cookies:

  1. Add Vary: Origin to all requests (maybe we can get away with just OPTIONS requests?)
  2. Use the existing origin allowlist and only do the following actions from one of those Origins:
    1. Add Access-Control-Allow-Credentials: true to all requests
    2. Add Access-Control-Allow-Origin: <Origin Requested> to all requests
    3. Add Access-Control-Allow-Headers: Content-Type to all OPTIONS requests
    4. Add Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE to all OPTIONS requests

Proposed Solution 3
Allow cross-origin requests with OAuth2 (requires OAuth2's authorization code grant) and Cookies:

  1. Add Vary: Origin to all requests (maybe we can get away with just OPTIONS requests?)
  2. Add Access-Control-Allow-Headers: Authorization, Content-Type to all OPTIONS requests
  3. Use the existing origin allowlist and only do the following actions from one of those Origins:
    1. Add Access-Control-Allow-Origin: <Origin Requested> to all requests
    2. Add Access-Control-Allow-Credentials: true to all requests
    3. Add Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE to all OPTIONS requests
  4. If the origin is not on the allowlist:
    1. Add Access-Control-Allow-Origin: * to all requests
    2. Add Access-Control-Allow-Methods: * to all OPTIONS requests
Related

Details

SubjectRepoBranchLines +/-
Handle CORS preflight request and prevent anon users from unsafe methodsmediawiki/coremaster+1 K -97
Add option to enable cross-origin resource sharing (CORS) in REST APImediawiki/coremaster+34 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
dbarratt added a comment.Sep 12 2019, 12:17 AM

I created a task for discussing making MediaWiki unaware of the logged in status of its users: T232692

dbarratt added a comment.Sep 12 2019, 4:24 PM

Ok, let me rephrase this in the context of this task...

If the REST API were to force authorization through a token in the Authorization header (regardless of how that session is stored or not stored or the server), that would allow the authenticated, cross-origin requests without a domain whitelist (since the risk of CSRF has been mitigated).

Bawolff subscribed.Sep 12 2019, 4:36 PM

the server is not aware of the logged-in state

the clients authorization token is not transferred to the server in an automated way

I think what you mean, is that the server is able to evaluate what the user's session is without accessing any server-side state (e.g. You have an encrypted/authenticated cookie containing the entirety of the user's session).

Well that is certainly possible, I'm not sure why it would be a good idea or help in this situation.

the clients authorization token is not transferred to the server in an automated way

I guess you mean something like SameSite=lax cookie parameter? That would probably be a good idea for CSRF prevention in general, and seems pretty independent of the first part.

dbarratt added a comment.Sep 12 2019, 4:44 PM

@Bawolff I realized above, that I was conflating two different things (storage of the sessions and how the session token is transmitted to the server). What I mean is this:

In T232176#5488222, @dbarratt wrote:

If the REST API were to force authorization through a token in the Authorization header (regardless of how that session is stored or not stored or the server), that would allow the authenticated, cross-origin requests without a domain whitelist (since the risk of CSRF has been mitigated).

Bawolff added a comment.Sep 12 2019, 4:44 PM

Credentials
If the API allows for authorization with the authorization code grant (or some other authorization mechanism that is stateless and does not force the client app to expose it's own secrets), then it is safe to add Access-Control-Allow-Credentials. >However, if the user adds the credentials the Access-Control-Allow-Origin will need to be specific to the Origin requested. Since credentialed requests are not cached anyways, this shouldn't be a problem.

I'm confused. Are you talking about setting Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin: *. My reading of https://fetch.spec.whatwg.org/#cors-protocol-and-credentials is that that is banned in the spec.

dbarratt updated the task description. (Show Details)Sep 12 2019, 4:44 PM
dbarratt added a comment.Sep 12 2019, 4:47 PM
In T232176#5488296, @Bawolff wrote:

I'm confused. Are you talking about setting Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin: *. My reading of https://fetch.spec.whatwg.org/#cors-protocol-and-credentials is that that is banned in the spec.

We would only add Access-Control-Allow-Credentials: true if the request included an Authorization header (which bypasses the cache), if it did it would reply back with Access-Control-Allow-Origin: <the request Origin>. (Again, this assumes we wouldn't be using Cookies, if we are then we would still need the whitelist like the Action API).

Bawolff added a comment.Sep 12 2019, 5:04 PM
In T232176#5488306, @dbarratt wrote:
In T232176#5488296, @Bawolff wrote:

I'm confused. Are you talking about setting Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin: *. My reading of https://fetch.spec.whatwg.org/#cors-protocol-and-credentials is that that is banned in the spec.

We would only add Access-Control-Allow-Credentials: true if the request included an Authorization header (which bypasses the cache), if it did it would reply back with Access-Control-Allow-Origin: <the request Origin>. (Again, this assumes we wouldn't be using Cookies, if we are then we would still need the whitelist like the Action API).

So in this scenario, if we're using solely the authorization header and no cookies (And i presume using our own authorization header, not HTTP basic auth or anything like that), why would we need Access-Control-Allow-credentials?

dbarratt added a comment.Sep 12 2019, 5:09 PM
In T232176#5488359, @Bawolff wrote:

So in this scenario, if we're using solely the authorization header and no cookies (And i presume using our own authorization header, not HTTP basic auth or anything like that), why would we need Access-Control-Allow-credentials?

If we wanted to allow authenticated cross-origin requests.

Example: From a web application, I can have you login using OAuth2 (authorization code grant) and make authenticated edits from the web application without needing a proxy server.

Now if we don't want to do that, that's totally fine, but since the REST API is new anyways, you get to make these types of decisions that you can't necessarily make with the Action API. This explains the genesis of this conversation, which is how T210790 is different from this task. :)

Bawolff added a comment.Sep 12 2019, 5:11 PM

But if your authentication is coming from an Authorization header, and no cookies are involved, the Access-Control-Allow-credentials would have no effect, as that only controls browser level credentials (cookies, TLS certs, http basic auth, etc)

dbarratt added a comment.EditedSep 12 2019, 5:15 PM
In T232176#5488383, @Bawolff wrote:

But if your authentication is coming from an Authorization header, and no cookies are involved, the Access-Control-Allow-credentials would have no effect, as that only controls browser level credentials (cookies, TLS certs, http basic auth, etc)

hmm, so the mozilla docs say:

Credentials are cookies, authorization headers or TLS client certificates.

I assumed that meant any Authorization header, are you saying a non-basic value doesn't apply? (if so, that's fascinating!)

Bawolff added a comment.EditedSep 12 2019, 5:20 PM

This is kind of an obscure aspect of CORS, and i certainly haven't tested it, so i might be wrong, but: https://fetch.spec.whatwg.org/#credentials says "Credentials are HTTP cookies, TLS client certificates, and authentication entries (for HTTP authentication). [COOKIES] [TLS] [HTTP-AUTH] ". My reading of that, combined with "A CORS non-wildcard request-header name is a byte-case-insensitive match for Authorization." would be that allow-credential just affect browser managed credentials, and if you explicitly put Authorization in the allowed headers (must be explicit, it is not included with a wildcard), then you can override the value of the Authorization header. But I haven't tested it, and CORS is complex, so I may be misunderstanding.

dbarratt added a comment.Sep 12 2019, 5:33 PM
In T232176#5488416, @Bawolff wrote:

My reading of that, combined with "A CORS non-wildcard request-header name is a byte-case-insensitive match for Authorization." would be that allow-credential just affect browser managed credentials, and if you explicitly put Authorization in the allowed headers (must be explicit, it is not included with a wildcard), then you can override the value of the Authorization header.

If that is the case (which I think that makes sense to me) then that's even better because then we shouldn't need to do anything for the authenticated requests to work cross-origin (assuming we use a custom Authorization)?

dbarratt added a comment.Sep 12 2019, 5:44 PM

Errr.. ok, we would need Access-Control-Allow-Headers: Authorization :)

dbarratt updated the task description. (Show Details)Sep 12 2019, 5:51 PM
Anomie added a comment.Sep 12 2019, 7:37 PM
In T232176#5488222, @dbarratt wrote:

Ok, let me rephrase this in the context of this task...

If the REST API were to force authorization through a token in the Authorization header (regardless of how that session is stored or not stored or the server), that would allow the authenticated, cross-origin requests without a domain whitelist (since the risk of CSRF has been mitigated).

Also that would mean we'd be requiring registration for anyone to be able to use the REST API. Anons would be locked out.

I'm also disturbed at how complex this is getting. Now we're talking about a custom Authorization header, not even OAuth which is already significantly complex? All to try to work around a "problem" (CSRF tokens) that isn't even much of a problem in the first place.

dbarratt added a comment.Sep 12 2019, 7:39 PM
In T232176#5488888, @Anomie wrote:

Also that would mean we'd be requiring registration for anyone to be able to use the REST API. Anons would be locked out.

Why?

I'm also disturbed at how complex this is getting. Now we're talking about a custom Authorization header, not even OAuth which is already significantly complex? All to try to work around a "problem" (CSRF tokens) that isn't even much of a problem in the first place.

OAuth is a custom Authorization header. :) (or rather, in the context that it is not managed by the browser)

dbarratt updated the task description. (Show Details)Sep 12 2019, 8:22 PM
eprodromou mentioned this in T237852: System Administrator avoids CSRF attacks on MediaWiki REST API.Nov 10 2019, 1:11 PM
Tgr added a subtask: T245474: CORS not enabled for OAuth 2.0 .Feb 18 2020, 1:02 AM
Danmichaelo subscribed.Apr 26 2020, 6:59 PM
gerritbot added a comment.Jun 28 2020, 1:31 AM

Change 608190 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/core@master] Add option to enable cross-origin resource sharing (CORS) in REST API

https://gerrit.wikimedia.org/r/c/mediawiki/core/ /608190

gerritbot added a project: Patch-For-Review.Jun 28 2020, 1:31 AM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Team Workboards (Green).Jul 23 2020, 5:34 PM
eprodromou edited projects, added Platform Team Workboards (External Code Reviews); removed Platform Team Workboards (Clinic Duty Team).
Niedzielski added a parent task: T244287: Build the Vue.js search component network client.Aug 3 2020, 3:12 AM
dbarratt removed a subtask: T245474: CORS not enabled for OAuth 2.0 .Aug 3 2020, 4:09 AM
dbarratt added a parent task: T245474: CORS not enabled for OAuth 2.0 .
santhosh subscribed.Aug 3 2020, 4:47 PM
eprodromou triaged this task as High priority.Aug 4 2020, 8:40 PM
dbarratt updated the task description. (Show Details)Aug 11 2020, 3:02 PM
dbarratt mentioned this in T256535: Same-Origin policy prevents reading HTML pages cross-origin.
dbarratt mentioned this in T210790: Allow cross-origin requests by default in the Action API.
dbarratt updated the task description. (Show Details)Aug 11 2020, 5:30 PM
gerritbot added a comment.Aug 11 2020, 10:05 PM

Change 608190 merged by jenkins-bot:
[mediawiki/core@master] Add option to enable cross-origin resource sharing (CORS) in REST API

https://gerrit.wikimedia.org/r/608190

Maintenance_bot removed a project: Patch-For-Review.Aug 11 2020, 10:10 PM
ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.5; 2020-08-18).Aug 11 2020, 11:00 PM
holger.knust closed this task as Resolved.Aug 17 2020, 1:46 PM
holger.knust claimed this task.
holger.knust removed a project: Platform Team Workboards (External Code Reviews).
dbarratt added a comment.Aug 17 2020, 1:57 PM

I guess a separate task should be opened for credential'd cross-origin requests?

holger.knust reopened this task as Open.EditedAug 17 2020, 2:18 PM

@dbaratt My bad! Reopening it. No need to create a separate ticket for that.

dbarratt added a comment.Aug 17 2020, 2:23 PM
In T232176#6389060, @holger.knust wrote:

@dbaratt My bad! Reopening it. No need to create a separate ticket for that.

Sweet. I should clarify that this task only covers GET requests, but seems logical to get that worked out first before moving on to writable methods.

dbarratt renamed this task from Enable cross-origin resource sharing (CORS) in Core REST API to Enable cross-origin resource sharing (CORS) for GET requests in Core REST API.Aug 17 2020, 2:25 PM
dbarratt renamed this task from Enable cross-origin resource sharing (CORS) for GET requests in Core REST API to Enable cross-origin resource sharing (CORS) for requests in Core REST API.Aug 17 2020, 2:27 PM
dbarratt updated the task description. (Show Details)
In T232176#6389070, @dbarratt wrote:

Sweet. I should clarify that this task only covers GET requests, but seems logical to get that worked out first before moving on to writable methods.

Errr.... Adding Access-Control-Allow-Methods to either option for supporting credentials will fix this for writable methods as well. :)

dbarratt updated the task description. (Show Details)Aug 17 2020, 2:31 PM
dbarratt updated the task description. (Show Details)
dbarratt updated the task description. (Show Details)Aug 17 2020, 2:41 PM
dbarratt updated the task description. (Show Details)Aug 17 2020, 2:44 PM
dbarratt added a comment.Aug 17 2020, 2:47 PM

@eprodromou & @holger.knust I've updated that task description with three options. I think Option 3 is the best as it gives the most amount of flexibility for callers. It doesn't require that core knows whether OAuth2 is enabled or not as if MediaWiki has no way to handle a custom Authorization then the request will just fail authentication anyways.

We could also put the additional handling (a new hook?) in the OAuth extension. Basically it needs to handle OPTIONS requests and add additional headers (even if MediaWiki normally wouldn't).

eprodromou added a comment.EditedAug 20 2020, 3:31 PM
In T232176#6389244, @dbarratt wrote:

@eprodromou & @holger.knust I've updated that task description with three options. I think Option 3 is the best as it gives the most amount of flexibility for callers. It doesn't require that core knows whether OAuth2 is enabled or not as if MediaWiki has no way to handle a custom Authorization then the request will just fail authentication anyways.

I would be happy with Option 1. I think requiring OAuth 2.0 for any authenticated cross-site requests is more than fair.

So, unauthenticated read-only requests (GET, HEAD, OPTIONS...?) are OK. OAuth 2.0 authenticated write requests (POST, PUT, PATCH, DELETE) are OK. Everything else is forbidden.

We don't currently have any legacy calls across sites to the REST API, so I think we can do the right thing without needing to support older structures.

dbarratt added a comment.EditedAug 20 2020, 3:45 PM
In T232176#6400218, @eprodromou wrote:

I would be happy with Option 1. I think requiring OAuth 2.0 for any authenticated cross-site requests is more than fair.

Awesome. I can write a patch for this.

So, unauthenticated read-only requests (GET, HEAD, OPTIONS...?) are OK. OAuth 2.0 authenticated write requests (POST, PUT, PATCH, DELETE) are OK. Everything else is forbidden.

Right. And presumably, OAuth 2.0 authenticated GET reqeusts would be fine. There aren't many requests that require authentication for GET, but I can imagine there might be in the future, especially for things Anti-Harassment is working on.

We don't currently have any legacy calls across sites to the REST API, so I think we can do the right thing without needing to support older structures.

Just to clarify, this means that pages on ja.wikipedia.org will not be able to make authenticated requests to en.wikipedia.org without using OAuth. Is that acceptable? I think that is fine, but just want to make sure. Basically the user will need to explicitly authenticate to the other wiki there will be no passive authentication (like with the Action API). The only way I can see that being a problem is if someone wanted to query all or most of the wikis from the browser, but they probably shouldn't be doing that anyways. :)

dbarratt added a comment.Aug 20 2020, 3:47 PM
In T232176#6400277, @dbarratt wrote:

Just to clarify, this means that pages on ja.wikipedia.org will not be able to make authenticated requests to en.wikipedia.org without using OAuth. Is that acceptable? I think that is fine, but just want to make sure. Basically the user will need to explicitly authenticate to the other wiki there will be no passive authentication (like with the Action API). The only way I can see that being a problem is if someone wanted to query all or most of the wikis from the browser, but they probably shouldn't be doing that anyways. :)

Err..... they could implement a passive authentication by sharing the same OAuth2 Authentication keys. :)

dbarratt updated the task description. (Show Details)Aug 20 2020, 3:53 PM
dbarratt updated the task description. (Show Details)Aug 20 2020, 3:55 PM
dbarratt updated the task description. (Show Details)
dbarratt updated the task description. (Show Details)Aug 20 2020, 4:01 PM
dbarratt added a comment.Aug 20 2020, 4:13 PM

@eprodromou & @holger.knust Sorry, I have another question... I assume the REST API does support making an edit without authentication (i.e. a POST to an edit endpoint?) If so, we should probably reject an unauthenticated write (anything other than HEAD or GET) where the Origin header does not match the current wiki's origin. I think this should be safe to do without adding a Vary: Origin because (afaik) only HEAD and GET are cached. (thought it also shouldn't hurt anything to add it to be safe).

We need the application to handle this, because CORS should allow it to happen (they might be authenticated), but the application I think should prevent it, otherwise we end up with issues like T40417.

If it does not allow unauthenticated writes, then what I've outlined is fine. :)

eprodromou mentioned this in T244287: Build the Vue.js search component network client.Aug 20 2020, 9:18 PM
gerritbot added a comment.Aug 22 2020, 7:32 PM

Change 621900 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/core@master] Handle CORS preflight request and prevent anon users from unsafe methods

https://gerrit.wikimedia.org/r/621900

gerritbot added a project: Patch-For-Review.Aug 22 2020, 7:32 PM
dbarratt mentioned this in T261053: REST API unnecessarily asks for CSRF tokens.Aug 24 2020, 8:43 PM
dbarratt mentioned this in T261358: Review CORS strategy for WikimediaApiPortalOAuth extension.Aug 29 2020, 11:06 PM
dbarratt added a comment.Aug 29 2020, 11:08 PM

The patch I've submitted should do the trick. But please review. :)

Pchelolo subscribed.Aug 29 2020, 11:22 PM

Just to clarify, this means that pages on ja.wikipedia.org will not be able to make authenticated requests to en.wikipedia.org without using OAuth.

Ok, this would also mean that none of the sites could use the new API Gateway (api.wikimedia.org). It would be fine for now since the gateway only exposes APIs that are also available under the wikis own domain, but as I understand ultimately we would want to use it in our own code as well.

I'd root for option 3 as the most flexible one to implement in core. If for some reason we'd want different CORS rules for APIs exposed under API.wikimedia.org, we'd be able to override them in envoy.

dbarratt updated the task description. (Show Details)Aug 29 2020, 11:46 PM
dbarratt updated the task description. (Show Details)
dbarratt added a comment.Aug 29 2020, 11:50 PM

AH! I forgot that Access-Control-Allow-Credentials is a response header for simple requests (not just OPTIONS). This means we'd need to add Vary: Origin to all requests if we want to support Option 2 or Option 3. We could add a query parameter with the origin, which might save a little bit of cache variance, but I can't imagine it would be a ton.

dbarratt updated the task description. (Show Details)Aug 29 2020, 11:51 PM
dbarratt mentioned this in T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.Aug 31 2020, 2:42 PM
Pchelolo added a comment.Aug 31 2020, 6:48 PM

An update from the discussion over T261358

We have agreed to go with Option 1 as a default, but leave a capability for the developer to opt-in to Option 3 by overriding a method in a Handler class. Manually mangling the CORS headers will still be disallowed.

@dbarratt is that your understanding as well? Do you want to amend your patch to support the revised proposal, or do you want me to take over? Alternatively, we can get your patch in as pure Option 1, and I'll do the revised proposal as a followup.

dbarratt added a comment.Aug 31 2020, 6:54 PM
In T232176#6424790, @Pchelolo wrote:

@dbarratt is that your understanding as well? Do you want to amend your patch to support the revised proposal, or do you want me to take over? Alternatively, we can get your patch in as pure Option 1, and I'll do the revised proposal as a followup.

I think the only thing that needs to be revised is what is in T261053 ? But if you could review both patches that would be much appreciated. :)

Pchelolo mentioned this in T261696: MW REST Framework support for authenticated CORS.Aug 31 2020, 9:09 PM
dbarratt added a comment.Sep 1 2020, 3:21 PM

I had an idea in T261696#6427063 that we should use Option 1 by default, but add a config variable to enable Option 3. Effectively a wiki could opt-into allowing cookie auth for cross-origin requests. This would be enabled on Meta, but disabled on all other wikis. This should fix @Pchelolo's dilemma while also limiting the performance impact.

dbarratt updated the task description. (Show Details)Sep 5 2020, 2:58 PM
dbarratt mentioned this in T245474: CORS not enabled for OAuth 2.0 .Sep 5 2020, 8:13 PM
Tgr subscribed.Sep 8 2020, 1:34 AM
In T232176#6421123, @dbarratt wrote:

We could add a query parameter with the origin, which might save a little bit of cache variance, but I can't imagine it would be a ton.

It would reduce the number of cache entries per URL from the number of domains those requests come from to the number of whitelisted domains. That's a pretty big change. Chances are we only want to cache responses to requests which do not require authentication, so maybe we could only add Vary for those, but that's easy and dangerous to mess up.

I suppose we could mangle Origin headers at the edge cache layer if we are desperate.

Tgr added a comment.Sep 8 2020, 1:42 AM

Disallowing cross-domain cookie authentication would make life harder for many technical contributors who are probably not familiar with OAuth and write gadgets in their limited free time. Although maybe a good abstraction layer in the JS libraries could solve that (much like mw.Api hides the complexity of token mechanics).
It would also make testing and debugging harder (right now I can share an URL for an authenticated GET API call and it just works).

OTOH cross-domain via cookies is somewhat fragile as the cookie/session for some specific domain can expire without warning; OAuth does not have that problem.

eprodromou added a comment.Sep 8 2020, 1:27 PM

So, I'm lost in this discussion, and we're still hitting CORS errors. What needs to happen to let our Web team use the REST search API endpoint?

Pchelolo added a comment.EditedSep 8 2020, 1:29 PM
In T232176#6442803, @eprodromou wrote:

So, I'm lost in this discussion, and we're still hitting CORS errors. What needs to happen to let our Web team use the REST search API endpoint?

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/621900 needs to happen for CORS support.
Web team can just use the same domain since the search endpoint is exposed on per-domain basis.

eprodromou added a comment.Sep 8 2020, 1:44 PM
In T232176#6442808, @Pchelolo wrote:

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/621900 needs to happen for CORS support.

Awesome. I'm not sure how this got jammed up. I asked for unauthenticated + OAuth 2.0 authenticated calls to get done ASAP, and we could work out what to do with Cookie-authenticated calls later. But it seems like we needed to have the Cookie-authenticated discussion first.

Regardless, I'm fine moving forward with this. The writeable REST endpoints require a CSRF token under Cookie authentication, so I think we're OK to move this forward. Consider proposal 3 to have PM sign-off, and please merge ASAP to get our Web team unblocked.

eprodromou added a comment.Sep 8 2020, 1:49 PM
In T232176#6442808, @Pchelolo wrote:

Web team can just use the same domain since the search endpoint is exposed on per-domain basis.

Apparently the Web team does their development on localhost or other domains, but make API calls to the production domains, so they are running into this problem.

dbarratt added a comment.Sep 8 2020, 7:36 PM
In T232176#6442887, @eprodromou wrote:

Apparently the Web team does their development on localhost or other domains, but make API calls to the production domains, so they are running into this problem.

Could your team deploy a patch to enable $wgAllowCrossOrigin on all wikis? That would be the first step and enable anon GET/HEAD requests. :)

It looks like the Search endpoint is a GET so deploying a config patch should unblock the team. :)

dbarratt removed a parent task: T245474: CORS not enabled for OAuth 2.0 .Sep 9 2020, 2:51 PM
eprodromou added a comment.Sep 9 2020, 4:54 PM
In T232176#6444175, @dbarratt wrote:
In T232176#6442887, @eprodromou wrote:

Apparently the Web team does their development on localhost or other domains, but make API calls to the production domains, so they are running into this problem.

Could your team deploy a patch to enable $wgAllowCrossOrigin on all wikis? That would be the first step and enable anon GET/HEAD requests. :)

It looks like the Search endpoint is a GET so deploying a config patch should unblock the team. :)

I'm pretty sure @Pchelolo is working on this right now.

dbarratt closed subtask T262425: Enable $wgAllowCrossOrigin on all Wikimedia wikis as Resolved.Sep 9 2020, 6:20 PM
gerritbot added a comment.Sep 21 2020, 11:57 PM

Change 621900 merged by BPirkle:
[mediawiki/core@master] Handle CORS preflight request and prevent anon users from unsafe methods

https://gerrit.wikimedia.org/r/621900

dbarratt closed this task as Resolved.Sep 22 2020, 2:57 AM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL