In T260860#6633233, @Gilles wrote:I also notice that there's a CORS preflight request for every request to wikis other than meta. I don't know if the default can be changed, but it would be nice if the responses of those OPTIONS requests were cached for some time. At the moment they're explicitly no-cache. If you get the CORS green light for GET/POST through an OPTIONS requests for that particular API URL, there's no reason that you wouldn't get it again a few seconds later... Even being cached for a few minutes would basically cut the amount of requests generated by the live updates by half.
Description
Description
Details
Details
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Set `Access-Control-Max-Age` header in api requests | mediawiki/extensions/GlobalWatchlist | master | +2 -0 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | DannyS712 | T268267 Reduce CORS preflight requests | |||
| Resolved | DannyS712 | T269636 Add `Access-Control-Max-Age` to `$wgAllowedCorsHeaders` |
Event Timeline
Comment Actions
@Gilles where exactly are you seeing that there is a CORS request being made each time and that it is explicitly no-cache? I'm just using the mw.ForeignApi() javascript module, and I don't see anything ext.centralauth.ForeignApi.js, mediawiki.ForeignApi.core.js, or the base mw.Api index.js about CORS requests
Comment Actions
On the latest Chrome stable I see an OPTIONS CORS preflight request before every API request to other domains:
These requests are initiated by the browser itself. It's how it checks that the subsequent API request (which is the one you initiated from your code) is allowed by other domain you're trying to reach.
Comment Actions
On the latest Chrome stable I see an OPTIONS CORS preflight request before every API request to other domains:
These requests are initiated by the browser itself. It's how it checks that the subsequent API request (which is the one you initiated from your code) is allowed by other domain you're trying to reach.
Hmm, okay, will need to look into what the browser is doing since its not a request made in the code itself
Comment Actions
I poked around a bit to try and add a 5 minute cache header, but wasn't able to get it to work - will try again later this week though
Edit: Tried again, managed to get it to correctly set Access-Control-Max-Age: 300. However, the OPTIONS call then fails, with mediawiki-cors-rejection: Unsupported header requested in preflight
I confirmed that this is the specific header failing based on the logs on fluorine
WARNING: CORS preflight failed on requested header: access-control-max-age {"header":"access-control-max-age"}$wgAllowedCorsHeaders does not currently allow Access-Control-Max-Age as a header for cross-origin API requests. @Gilles unless this changes in core (or in WMF settings), is it possible to add this caching? If not, should be change the settings? Or not cache?
Comment Actions
This looks like a safe header to add to me, but I'd suggest getting signoff from the security team to allow this header (probably in MediaWiki core's default value).
Comment Actions
Stalling until this is possible, see T269636: Add `Access-Control-Max-Age` to `$wgAllowedCorsHeaders`
Comment Actions
Change 651708 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/extensions/GlobalWatchlist@master] Set Access-Control-Max-Age header in api requests
Comment Actions
Change 651708 merged by jenkins-bot:
[mediawiki/extensions/GlobalWatchlist@master] Set Access-Control-Max-Age header in api requests