On a wiki, actions calling the API (like adding a page in the watchlist by using the tab 'star' next to the edit button) trigger a log with level warning saying Non-whitelisted CORS request with session cookies when we are on the wiki itself.
This is not a security issue given it is only a MW log, but it should not be generated in this case: we are on the wiki itself, so this is not a cross-site request. This task is only to avoid polluting the logs in this case.
Steps to reproduce
- Install MediaWiki served by some webserver with a proper domain name (or IP address)
- In LocalSettings.php, set $wgDebugLogFile = '/tmp/some-file.log';
- Monitor this file, e.g. with tail -f -n0 /tmp/some-file.log|grep CORS
- With a logged-in account on the wiki, click on the star tab to watch the main page
- The debug log file now contains the message [cors] Non-whitelisted CORS request with session cookies
This can also be reproduced with other log management systems when $wgMWLoggerDefaultSpi is configured. I guess this log appears in Wikimedia logs for private wikis because $wmgUseCORS is false and so $wgCrossSiteAJAXdomains is an empty array.
Cause
This log is generated by ApiMain::__construct() and was introduced in 43b2693a3359.
This can be fixed by adding $wgServer in the array $wgCrossSiteAJAXdomains with some transform because the protocol ^(https?:)?// must be removed for $wgCrossSiteAJAXdomains. Or an alternative fix is to adapt the condition called just before the logger to exclude $wgServer.
MediaWiki version: 1.35.0-alpha