Page MenuHomePhabricator
Create Task
Maniphest T256535

Same-Origin policy prevents reading HTML pages cross-origin
Open, MediumPublic
Actions

Description

Problem
If a website would like to read the HTML pages in MediaWiki they are unable to do so because of the same-origin policy.

Proposed Solution
MediaWiki could add configuration that would add the Access-Control-Allow-Origin: * to all non-API requests. This is safe as long as MediaWiki is not being run on an intranet:

It is completely safe to augment any resource with Access-Control-Allow-Origin: * as long as the resource is not part of an intranet (behind a firewall).

https://annevankesteren.nl/2012/12/cors-101

A wiki should be able to opt-out (by default?) of this behavior since it is not safe to do this if the wiki is non-private and on an intranet (i.e. the only thing that secures the content is the firewall itself).

Related

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Set the Access-Control-Allow-Origin header for HTML pagesmediawiki/coremaster+4 -0
Customize query in gerrit

Related Objects

Event Timeline

dbarratt created this task.Jun 27 2020, 3:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 27 2020, 3:16 PM
gerritbot added a comment.Jun 27 2020, 3:17 PM

Change 608156 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/core@master] Add config option to add Access-Control-Allow-Origin: * header

https://gerrit.wikimedia.org/r/608156

gerritbot added a project: Patch-For-Review.Jun 27 2020, 3:17 PM
dbarratt mentioned this in T210790: Allow cross-origin requests by default in the Action API.Jun 27 2020, 3:26 PM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team), Security; removed Platform Engineering.Jun 30 2020, 8:07 PM
eprodromou subscribed.

OK, we'll take a look in code review.

eprodromou edited projects, added Platform Engineering; removed Platform Team Workboards (Clinic Duty Team).Jun 30 2020, 8:07 PM
eprodromou edited projects, added Platform Team Workboards (External Code Reviews); removed Platform Engineering.

Ah, new tag!

eprodromou triaged this task as Medium priority.Jun 30 2020, 8:08 PM
dbarratt mentioned this in T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.Aug 11 2020, 3:02 PM
dbarratt updated the task description. (Show Details)
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 28 2024, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits