Page MenuHomePhabricator

Client Developer makes an API call from the Web browser
Open, HighPublic

Description

"As a Client Developer, I want to make API calls from a Web browser, so that I can use the Web platform to make Wikimedia client apps."

This is essentially "configure CORS so that developers can make calls from other services."

Ideally, we would just set it up so CORS would allow calls from any domain for any route on the server.

Unfortunately, we're also going to be serving the API portal from the same host, and the Web interface for MediaWiki requires having CORS block access to the API from other domains (I think).

So, best case is full server is available without CORS blocking. Second-best case is that the MediaWiki routes are available with whatever CORS baloney they need, and the API gateway routes are unblocked by CORS.

Event Timeline

eprodromou reassigned this task from eprodromou to hnowlan.Tue, Jun 30, 4:19 PM
eprodromou triaged this task as High priority.

This is another detail that came up from discussions. Since we're going to be routing the API Portal on the same hostname as the Gateway, we need to make sure that CORS works the right way for the APIs (doesn't block API use) and for the Web interface of the Portal.

Setting CORS on a per-path basis should be doable and I'll build this into the chart. Will we require any custom CORS policy for the API portal at all or can we assume that there will be no requirement for cross-site requests to the portal specifically?