Steps to Reproduce
- Use the MediaWiki-REST-API to make a POST, PUT, or DELETE request without a token parameter
Actual Results
The API will respond with a 400 error:
The "token" parameter must be set.
Expected Results
Since the REST API requires a Content-Type: application/json it is impossible to make a cross-site request forgery since the custom Content-Type header forces the request to be a non-simple request. Since the request is non-simple, the browser will issue a preflight request and ask the server if it should send the user's session Cookies or not. Since the server never responds with Access-Control-Allow-Credentials the browser will never send the user's session cookie.
Proposed Solution
Remove the CSRF token requirement from the REST API and deprecate the endpoint to retrieve the tokens.