Page MenuHomePhabricator
Create Task
Maniphest T397571

Support CORS in gitlab-content tool
Closed, ResolvedPublicFeature
Actions

Description

Currently, the "gitlab-content" tool can be used to load eg. JavaScript and CSS from GitLab on Wikimedia wikis. However, scripts cannot load data files from there (or at least, without workarounds).

In my use case, I would like to load JavaScript and then lazily load a JSON file on demand from https://gitlab.wikimedia.org/msz2001/abusefilter-analyzer/-/tree/deploy The latter I wanted to do with fetch(), so that I can retrieve and process the response.

However, the request is blocked due to it being cross-origin. Here, I'd like to ask for CORS support in the tool.

I imagine it to be implemented in one of two ways. Since the requests contain no credentials, Access-Control-Allow-Origin: * could be hardcoded into responses, so that no additional measures will need to be taked by the clients to be able to fetch from gitlab-content. This is the simpler one.

Alternatively, a similar way to MediaWiki API's is possible, ie. one needs to pass an additional param in the URL with the origin host, which is then included in the response as Access-Control-Allow-Origin header.

For example:

https://gitlab-content.toolforge.org/{REPO}/-/raw/{PATH}?mime={MIME}&maxage={MAXAGE}&origin=en.wikipedia.org

would allow the browser to share the response with a script running on en.wikipedia.org, by including Access-Control-Allow-Origin: en.wikipedia.org.

Related Objects

Event Timeline

Msz2001 created this task.Jun 21 2025, 6:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 21 2025, 6:23 PM
Iniquity added a subscriber: bd808.Jul 17 2025, 8:21 PM
Iniquity subscribed.

@bd808 As it turns out, the task already exists :) I also encountered this today.

image.png (261×651 px, 43 KB)

Iniquity changed the subtype of this task from "Task" to "Feature Request".Jul 17 2025, 8:29 PM
bd808 moved this task from Backlog to Ready on the Tool-gitlab-content board.Jul 17 2025, 9:22 PM
bd808 triaged this task as Medium priority.Jul 17 2025, 9:24 PM

I really thought that the Toolforge front proxy already did this for all tools, but I was apparently confusing the Toolforge proxy with the tools-static proxy.

CodeReviewBot added a project: Patch-For-Review.Jul 20 2025, 4:37 PM

bd808 opened https://gitlab.wikimedia.org/toolforge-repos/gitlab-content/-/merge_requests/11

Add CORS preflight and response headers

bd808 changed the task status from Open to In Progress.Jul 20 2025, 4:38 PM
bd808 claimed this task.
bd808 moved this task from Ready to Doing on the Tool-gitlab-content board.
Restricted Application added a project: User-bd808. · View Herald TranscriptJul 20 2025, 4:38 PM
CodeReviewBot added a comment.Jul 20 2025, 5:02 PM

bd808 merged https://gitlab.wikimedia.org/toolforge-repos/gitlab-content/-/merge_requests/11

Add CORS preflight and response headers

Maintenance_bot removed a project: Patch-For-Review.Jul 20 2025, 5:30 PM
Stashbot added a comment.Jul 20 2025, 5:58 PM

Mentioned in SAL (#wikimedia-cloud) [2025-07-20T17:58:27Z] <wmbot~bd808@tools-bastion-12> Built new image from 449e522e (T397571, T393928)

Stashbot mentioned this in T393928: Add maxage/smaxage cache header controls to gilab-content proxy.Jul 20 2025, 5:58 PM

Mentioned in SAL (#wikimedia-cloud) [2025-07-20T17:59:25Z] <wmbot~bd808@tools-bastion-12> Restarted to deploy new image from 449e522e (T397571, T393928)

bd808 closed this task as Resolved.Jul 20 2025, 6:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits