I am trying to make an OAuth2-authenticated request on Wikidata from an SPA on a localhost web client. However, I keep on running into CORS errors, and I double-checked the origin to make sure I am doing it right. I copied the request into cURL and found something interesting:
* Trying 2620:0:861:ed1a::1:443... * Connected to www.wikidata.org (2620:0:861:ed1a::1) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=*.wikipedia.org * start date: Oct 26 08:25:13 2022 GMT * expire date: Jan 24 08:25:12 2023 GMT * subjectAltName: host "www.wikidata.org" matched cert's "*.wikidata.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x156011400) > GET /w/api.php?action=query&format=json&meta=tokens&formatversion=2&origin=http%3A%2F%2Flocalhost%3A16000 HTTP/2 > Host: www.wikidata.org > accept: */* > accept-encoding: deflate, gzip > sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" > dnt: 1 > sec-ch-ua-mobile: ?0 > user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 > authorization: Bearer <token expunged, but it is valid> > origin: http://localhost:16000 > referer: http://localhost:16000/ > api-user-agent: Animanga DB Matcher (User:RPI2026F1) > sec-ch-ua-platform: "macOS" > < HTTP/2 200 < date: Tue, 22 Nov 2022 14:54:50 GMT < server: mw1363.eqiad.wmnet < x-content-type-options: nosniff < mediawiki-cors-rejection: Origin mismatch < x-frame-options: DENY < content-disposition: inline; filename=api-result.json < cache-control: private, must-revalidate, max-age=0 < vary: Accept-Encoding < content-length: 101 < content-type: application/json; charset=utf-8 < age: 2 < x-cache: cp1087 pass, cp1089 pass < x-cache-status: pass < server-timing: cache;desc="pass", host;desc="cp1089" < strict-transport-security: max-age=106384710; includeSubDomains; preload < report-to: { "group": "wm_nel", "max_age": 86400, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] } < nel: { "report_to": "wm_nel", "max_age": 86400, "failure_fraction": 0.05, "success_fraction": 0.0} < set-cookie: WMF-Last-Access=22-Nov-2022;Path=/;HttpOnly;secure;Expires=Sat, 24 Dec 2022 12:00:00 GMT < set-cookie: WMF-Last-Access-Global=22-Nov-2022;Path=/;Domain=.wikidata.org;HttpOnly;secure;Expires=Sat, 24 Dec 2022 12:00:00 GMT < accept-ch: Sec-CH-UA-Arch,Sec-CH-UA-Bitness,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version < permissions-policy: interest-cohort=(),ch-ua-arch=(self "intake-analytics.wikimedia.org"),ch-ua-bitness=(self "intake-analytics.wikimedia.org"),ch-ua-full-version-list=(self "intake-analytics.wikimedia.org"),ch-ua-model=(self "intake-analytics.wikimedia.org"),ch-ua-platform-version=(self "intake-analytics.wikimedia.org") < x-client-ip: 2620:0:2820:2001:a4fe:420d:269d:3967 < set-cookie: GeoIP=<GeoIP expunged>:v4; Path=/; secure; Domain=.wikidata.org < accept-ranges: bytes < * Connection #0 to host www.wikidata.org left intact {"batchcomplete":true,"query":{"tokens":{"csrftoken":"3706a9e3b8cdcd587567a563959d2642637ce2bb+\\"}}}
I am getting valid data but a complete lack of any CORS headers, so my browser is unable to do the request.