"As an System Administrator, I want the MediaWiki REST API to avoid cross-site request forgery attacks, to preserve the privacy of our users and integrity of our data."
In building the new MediaWiki REST API, we've run into a design problem.
The Action API uses CSRF tokens for many write functions, like creating or updating a page. So far, we can't find another public API that uses CSRF tokens. We don't want to add a requirement for developers to provide a CSRF token if they’re not needed.
It looks like the Action API requires CSRF tokens because it supports session cookie authorization.
For the MediaWiki REST API, we will typically support OAuth 1.0 or OAuth 2.0 for authorization.
However, we may need to support session cookie authorization for the official web clients.
For the MediaWiki REST API, we’ll add an optional CSRF token parameter for any endpoint that modifies state (typically POST, PUT, or DELETE endpoints). If it is called with session cookie authorization, we require the CSRF token to be provided additionally.
Another solution is to disallow authorization to the MW REST API with session cookies. This would be awesome, but there's some opposition to doing it in our group.
We'll need to work this out in order to resolve T232176, also. Making it easy for other sites to call our public REST API is much, much more important for the API than supporting session cookie authorization.