Page MenuHomePhabricator

API requests from the domain itself trigger CORS warnings in logs
Closed, ResolvedPublic

Description

On a wiki, actions calling the API (like adding a page in the watchlist by using the tab 'star' next to the edit button) trigger a log with level warning saying Non-whitelisted CORS request with session cookies when we are on the wiki itself.

This is not a security issue given it is only a MW log, but it should not be generated in this case: we are on the wiki itself, so this is not a cross-site request. This task is only to avoid polluting the logs in this case.

Steps to reproduce

  1. Install MediaWiki served by some webserver with a proper domain name (or IP address)
  2. In LocalSettings.php, set $wgDebugLogFile = '/tmp/some-file.log';
  3. Monitor this file, e.g. with tail -f -n0 /tmp/some-file.log|grep CORS
  4. With a logged-in account on the wiki, click on the star tab to watch the main page
  5. The debug log file now contains the message [cors] Non-whitelisted CORS request with session cookies

This can also be reproduced with other log management systems when $wgMWLoggerDefaultSpi is configured. I guess this log appears in Wikimedia logs for private wikis because $wmgUseCORS is false and so $wgCrossSiteAJAXdomains is an empty array.

Cause

This log is generated by ApiMain::__construct() and was introduced in 43b2693a3359.

This can be fixed by adding $wgServer in the array $wgCrossSiteAJAXdomains with some transform because the protocol ^(https?:)?// must be removed for $wgCrossSiteAJAXdomains. Or an alternative fix is to adapt the condition called just before the logger to exclude $wgServer.

MediaWiki version: 1.35.0-alpha

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Anomie added a subscriber: Anomie.

We might also fix this by just removing the log entry entirely, since it seems it was never actually used for anything.

Change 568526 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] API: Don't log "non-whitelisted CORS origin" for $wgServerName

https://gerrit.wikimedia.org/r/568526

Change 568528 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] API: Remove unused "non-whitelisted CORS origin" log

https://gerrit.wikimedia.org/r/568528

Thanks for this quick answer!

Change 568528 merged by jenkins-bot:
[mediawiki/core@master] API: Remove unused "non-whitelisted CORS origin" log

https://gerrit.wikimedia.org/r/568528

Change 568526 abandoned by Anomie:
API: Don't log "non-whitelisted CORS origin" for $wgServerName

Reason:
In favor of I799b17a5f4891f9e739d6b62551a5736b8a6664e

https://gerrit.wikimedia.org/r/568526

This fix should be deployed to Wikimedia sites with 1.35.0-wmf.19, see https://www.mediawiki.org/wiki/MediaWiki_1.35/Roadmap for a (probably tentative) schedule.

@AMooney, I understand that this ticket is resolved. Should it be in the Done or Waiting for Deployment column instead of the Waiting for Review one?