Page MenuHomePhabricator

Reduce CORS preflight requests
Closed, ResolvedPublic3 Estimated Story Points

Description

I also notice that there's a CORS preflight request for every request to wikis other than meta. I don't know if the default can be changed, but it would be nice if the responses of those OPTIONS requests were cached for some time. At the moment they're explicitly no-cache. If you get the CORS green light for GET/POST through an OPTIONS requests for that particular API URL, there's no reason that you wouldn't get it again a few seconds later... Even being cached for a few minutes would basically cut the amount of requests generated by the live updates by half.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 set the point value for this task to 3.
DannyS712 moved this task from Unsorted to Next on the User-DannyS712 board.

@Gilles where exactly are you seeing that there is a CORS request being made each time and that it is explicitly no-cache? I'm just using the mw.ForeignApi() javascript module, and I don't see anything ext.centralauth.ForeignApi.js, mediawiki.ForeignApi.core.js, or the base mw.Api index.js about CORS requests

On the latest Chrome stable I see an OPTIONS CORS preflight request before every API request to other domains:

These requests are initiated by the browser itself. It's how it checks that the subsequent API request (which is the one you initiated from your code) is allowed by other domain you're trying to reach.

On the latest Chrome stable I see an OPTIONS CORS preflight request before every API request to other domains:

These requests are initiated by the browser itself. It's how it checks that the subsequent API request (which is the one you initiated from your code) is allowed by other domain you're trying to reach.

Hmm, okay, will need to look into what the browser is doing since its not a request made in the code itself

I poked around a bit to try and add a 5 minute cache header, but wasn't able to get it to work - will try again later this week though

Edit: Tried again, managed to get it to correctly set Access-Control-Max-Age: 300. However, the OPTIONS call then fails, with mediawiki-cors-rejection: Unsupported header requested in preflight

I confirmed that this is the specific header failing based on the logs on fluorine

WARNING: CORS preflight failed on requested header: access-control-max-age {"header":"access-control-max-age"}

$wgAllowedCorsHeaders does not currently allow Access-Control-Max-Age as a header for cross-origin API requests. @Gilles unless this changes in core (or in WMF settings), is it possible to add this caching? If not, should be change the settings? Or not cache?

$wgAllowedCorsHeaders does not currently allow Access-Control-Max-Age as a header for cross-origin API requests. @Gilles unless this changes in core (or in WMF settings), is it possible to add this caching? If not, should be change the settings? Or not cache?

This looks like a safe header to add to me, but I'd suggest getting signoff from the security team to allow this header (probably in MediaWiki core's default value).

DannyS712 changed the task status from Stalled to Open.Dec 23 2020, 6:22 AM
DannyS712 moved this task from Later to In progress on the MediaWiki-extensions-GlobalWatchlist board.
DannyS712 moved this task from Later to Awaiting review and deployment on the User-DannyS712 board.
DannyS712 added a project: Patch-For-Review.

Change 651708 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/extensions/GlobalWatchlist@master] Set Access-Control-Max-Age header in api requests

https://gerrit.wikimedia.org/r/651708

Change 651708 merged by jenkins-bot:
[mediawiki/extensions/GlobalWatchlist@master] Set Access-Control-Max-Age header in api requests

https://gerrit.wikimedia.org/r/651708

DannyS712 claimed this task.
DannyS712 removed a project: Patch-For-Review.
DannyS712 set Final Story Points to 3.
DannyS712 moved this task from In progress to Done on the MediaWiki-extensions-GlobalWatchlist board.