Origin
The Access-Control-Allow-Origin response header should be set for all requests and given a default value of *. for wikis that are not on an intranet (i.e. behind a firewall). It is completely safe to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet.
Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically.
Proposed Solution
Add Access-Control-Allow-Origin: * to all requests (config option to disable)
Credentials
If the API allows for authorization with the authorization code grant (or some other authorization mechanism that and does not force the client app to expose it's own secrets), then it is safe to add Access-Control-Allow-Headers with a value of Authorization (this header only needs to be added as as response to an OPTIONS request). This would allow non-whitelisted origins to make cross-origin authenticated requests.
If the API allows for browser-based authorization (i.e. Cookies) then the API will need to use the origin allowlist like the Action API does and add the Access-Control-Allow-Credentials to an OPTIONS request from those whitelisted origins.
Regardless, since Authorization and Cookie headers bypass the cache, it is not necessary to Vary the non-OPTIONS request by Origin.
Proposed Solution 1
Allow cross-origin requests using OAuth (requires OAuth2's authorization code grant):
- Add Access-Control-Allow-Origin: * to all OPTIONS requests
- Add Access-Control-Allow-Headers: Authorization, Content-Type to all OPTIONS requests
- Add Access-Control-Allow-Methods: * to all OPTIONS requests
Proposed Solution 2
Allow cross-origin requests using Cookies:
- Add Vary: Origin to all requests (maybe we can get away with just OPTIONS requests?)
- Use the existing origin allowlist and only do the following actions from one of those Origins:
- Add Access-Control-Allow-Credentials: true to all requests
- Add Access-Control-Allow-Origin: <Origin Requested> to all requests
- Add Access-Control-Allow-Headers: Content-Type to all OPTIONS requests
- Add Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE to all OPTIONS requests
Proposed Solution 3
Allow cross-origin requests with OAuth2 (requires OAuth2's authorization code grant) and Cookies:
- Add Vary: Origin to all requests (maybe we can get away with just OPTIONS requests?)
- Add Access-Control-Allow-Headers: Authorization, Content-Type to all OPTIONS requests
- Use the existing origin allowlist and only do the following actions from one of those Origins:
- Add Access-Control-Allow-Origin: <Origin Requested> to all requests
- Add Access-Control-Allow-Credentials: true to all requests
- Add Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE to all OPTIONS requests
- If the origin is not on the allowlist:
- Add Access-Control-Allow-Origin: * to all requests
- Add Access-Control-Allow-Methods: * to all OPTIONS requests