Page MenuHomePhabricator
Create Task
Maniphest T399674

Requests fail with Access-Control-Allow-Origin errors when using ForeignApi on iOS Safari
Open, MediumPublicBUG REPORT
Actions

Description

Steps to replicate the issue:

  • Open Safari on iOS.
  • Go, for example, to the testwiki;
  • Add the following user script to your common.js:
mw.loader.load( 'https://test.wikipedia.org/w/index.php?title=User:Serhio_Magpie/testCors.js&action=raw&ctype=text/javascript' );
  • or execute the following code in the browser console:
mw.loader.using( [ 'mediawiki.util', 'mediawiki.ForeignApi' ] )
    .then( () => {
        const test = ( hostname ) => {
            const api = new mw.ForeignApi( 'https://' + hostname + mw.util.wikiScript( 'api' ) );
            const params = {
                action: 'query',
                meta: 'siteinfo',
                siprop: 'general',
                format: 'json',
                formatversion: 2,
            };
            api.get( params )
                .done( response => {
                    console.info( `======= ${ hostname } pass =======` );
                    console.log( response );
                } )
                .fail( error => {
                    console.info( `======= ${ hostname } fails =======` );
                    throw new Error( error );
                } );
        };

        test( 'meta.wikimedia.org' );
        test( 'www.mediawiki.org' );
        test( 'www.wikidata.org' );
    } );
  • See the errors in the browser console:
Mobile site:
Inspect_OQHfzutGJv.png (1,885×579 px, 59 KB)
Desktop site:
image.png (1,912×217 px, 57 KB)

What happens?:
On the latest iOS 18.5 Safari, the first request made to the project using ForeignApi constantly fails regardless of desktop or mobile site version. All content blockers are disabled. On the latest Chrome or Firefox on Windows 11, all requests pass as they should.

Mobile site:
chrome_9j7X2blWCM.png (706×1,088 px, 61 KB)
Desktop site:
chrome_No7QOVeVuh.png (813×1,093 px, 72 KB)

Related Objects

Event Timeline

SerDIDG created this task.Jul 16 2025, 4:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 16 2025, 4:30 AM
Maintenance_bot added a project: MW-Interfaces-Team.Jul 16 2025, 4:31 AM
HCoplin-WMF triaged this task as Medium priority.Jul 16 2025, 1:23 PM
HCoplin-WMF moved this task from Incoming (Needs Triage) to Bugs & Chores on the MW-Interfaces-Team board.
HCoplin-WMF added a project: Web-Team.
HCoplin-WMF added subscribers: Catrope, HCoplin-WMF.

MediaWiki Interfaces doesn't currently have expertise to dig into this. Tagging Web-Team for additional support. @Catrope -- would you be able to take a look? It seems like Safari did make some CORS related changes recently: https://developer.apple.com/documentation/safari-release-notes/safari-18_4-release-notes

Jdrewniak removed a project: Web-Team.Jul 28 2025, 2:56 PM
Jdrewniak subscribed.

@HCoplin-WMF Web team is no more. We've been split into Reader Experience Team and Reader Growth Team , but I'm not sure if this issue is a good fit for either. I don't think this is an issue with MobileFrontend either.

CORS header access is maintained in a list of domains here in mediawiki-config

We should test if this happen on all wmf domains on mobile safari or just teswiki.

Jdrewniak added a comment.EditedJul 28 2025, 3:10 PM

I've tried to reproduce this and it looks like it happens on all mobile domains, and desktop domain, on iOS Safari, except enwiki (I can't reproduce on either en.m.wikipedia.org or en.wikipedia.org)
But only as a logged-in user. As an anonymous user, the requests seem to pass in the browser console.

Jdlrobson-WMF added a project: Traffic.Sep 10 2025, 10:43 PM
Jdlrobson-WMF moved this task from Untriaged to Tracking on the MobileFrontend board.
Jdlrobson-WMF edited projects, added: MobileFrontend (Tracking); removed: MobileFrontend.
ssingh removed a project: Traffic.Sep 29 2025, 3:46 PM
ssingh subscribed.

[Removing Traffic since this is a MW issue. Please re-add if you disagree.]

kostajh subscribed.Fri, May 15, 7:17 AM

This issue is now different, after T421778: Action API requests with centralauthtoken=… or OAuth bearer token should produce CORS headers if the token is invalid was rolled out. The problem now is that cross-wiki ForeignApi requests return badtoken: 'centralauthtoken is not valid' non-deterministically.

kostajh added a subscriber: matmarex.Fri, May 15, 7:17 AM
matmarex added a comment.Fri, May 15, 7:21 PM

I don't have any devices I could reproduce this on.

In T399674#11924269, @kostajh wrote:

This issue is now different, after T421778: Action API requests with centralauthtoken=… or OAuth bearer token should produce CORS headers if the token is invalid was rolled out. The problem now is that cross-wiki ForeignApi requests return badtoken: 'centralauthtoken is not valid' non-deterministically.

Any reason to believe this is related to the iOS issue? I saw some logs about invalid centralauthtokens recently (T424846#11871633), but did not have the time to investigate them.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits