403 error when using MediaWiki REST API to `compare` revisions
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	Jimpaz
	Sep 29 2023, 3:33 PM

Description

It seems that the API is blocking cross-origin access to data requested with the revision/{from}/compare/{to} route.

The issue, and steps to replicate

Here is an example of JS code which retrieves the JSON comparing two revisions with the REST API:

let route = "revision/1157633768/compare/1157658266"
let restUrl = "https://en.wikipedia.org/w/rest.php/v1/" + route;
let json = await fetch(restUrl).then(resp=>{ return resp.json(); }); 
console.log(json)

This code works in a local Node REPL, or likewise it works if I point my browser to <en.wikipedia.org>, and press F12 to use the in-browser console to run the code. Likewise, I can simply curl that url and get the data printed in my terminal.

However, the following 403 error is raised if I use that same code in client-side JS on a website. Or, equivalently, I get the error if I use the in-browser console to run the code when pointed at a third-party site (basically anything other than wikipedia):

GET https://en.wikipedia.org/w/rest.php/v1/revision/1157633768/compare/1157658266 403
{error: 'rest-cross-origin-anon-write', httpCode: 403, httpReason: 'Forbidden'}

The error title seems to indicate I'm being forbidden access since I'm trying to write from a cross-origin site, but the request I'm doing is a simple read-only, request, isn't it? As such, I think this is a bug. According to the the API's docs Reference#Compare revisions), Error 403 is returned when "Revision not publicly accessible". However, it seems this data is publicly accessible since I can access it from any browser or curl without authentication.

Note, other requests like using revision/{id}/bare route (let route = "1157633768/bare") work fine. I think it is a bug localized to the revision/{from}/compare/{to} route.

What should have happened instead?

Presuming this data is intended to be publicly accessible, the MediaWiki REST compare handler should declare that it doesn't need write access, so the request can succeed without the 403 error.

Other information

Operating system: macOS
Browsers tried: Firefox, Chrome (Brave), and Safari
This is my first foray into phabricator. I hope I'm reporting this in the correct place (disclosure: I previously posted a similar question on stackoverflow).