Page MenuHomePhabricator
Create Task
Maniphest T419866

CORS policy errors with any user script that calls a different subdomain's API
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Use any user script that calls the API of a different domain to current (e.g. meta.wikimedia.org while on de.wikibooks.org), for example using XReport or TwinkleGlobal

What happens?:
CORS policy rejects the API call.

What should have happened instead?:
The API call should have gone through.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):
Console error

Benutzer:TanyaLlanas976#:1 Access to XMLHttpRequest at 'https://meta.wikimedia.org/w/api.php?action=query&format=json&origin=https%3A%2F%2Fde.wikibooks.org&centralauthtoken={centralauthtoken}&prop=revisions&formatversion=2&rvprop=content&rvslots=main&rvlimit=1&titles=Steward%20requests%2FGlobal' from origin 'https://de.wikibooks.org' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
meta.wikimedia.org/w/api.php?action=query&format=json&origin=https%3A%2F%2Fde.wikibooks.org&centralauthtoken={centralauthtoken}&prop=revisions&formatversion=2&rvprop=content&rvslots=main&rvlimit=1&titles=Steward%20requests%2FGlobal:1  Failed to load resource: net::ERR_FAILED

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
rest-gateway: do not limit pre-flight requestsoperations/deployment-chartsmaster+42 -3
Customize query in gerrit

Related Objects

Event Timeline

Tenshi_Hinanawi created this task.Thu, Mar 12, 3:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptThu, Mar 12, 3:15 PM
Tenshi_Hinanawi updated the task description. (Show Details)Thu, Mar 12, 3:46 PM
Izno added projects: ContentSecurityPolicy, 2026-user-javascript-incident.Thu, Mar 12, 4:37 PM
Izno added a parent task: T419265: CSP adjustments related to the 2026 user javascript incident.
sbassett subscribed.Thu, Mar 12, 4:42 PM

I'm doubtful this is related to the recent changes around enforcing CSP. The error message seems to indicate it is more about preflight requests interacting with certain Access-Control-Allow-Origin headers.

Nirmos subscribed.Thu, Mar 12, 4:52 PM
Nirmos edited projects, added JavaScript, MediaWiki-General; removed 2026-user-javascript-incident, ContentSecurityPolicy.Thu, Mar 12, 4:58 PM
Nirmos removed a parent task: T419265: CSP adjustments related to the 2026 user javascript incident.
Pro-anti-air subscribed.Thu, Mar 12, 5:41 PM
A_smart_kitten subscribed.Thu, Mar 12, 6:57 PM
LuniZunie subscribed.Thu, Mar 12, 10:36 PM
enbi subscribed.Thu, Mar 12, 11:37 PM
PieWriter subscribed.Thu, Mar 12, 11:43 PM
matmarex subscribed.Fri, Mar 13, 6:51 AM

Can you provide more detailed steps to reproduce?

This works for me when I run it in the browser console on https://de.wikibooks.org/wiki/Hauptseite, logged in as well as logged out:

await mw.loader.using('mediawiki.ForeignApi');
await new mw.ForeignApi('https://meta.wikimedia.org/w/api.php').get({});

Perhaps you are being affected by the new global rate limits (https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/LC67SXEJMMUWIFPLRTJ7WBTNZ3SEQXW4/). You may be able to view the responses in browser developer tools to confirm that. If so, this would be the same problem as T418969 (in progress).

matmarex added a project: MediaWiki-Platform-Team.Fri, Mar 13, 6:51 AM
matmarex added a subscriber: daniel.
matmarex added a comment.Fri, Mar 13, 9:55 AM

I am now on a worse connection than before (public WiFi) and can reproduce the problem using my snippet above.

The response body for the OPTIONS request is:

You are making too many requests.
Please reduce your request rate or contact <bot-traffic@wikimedia.org>.

Hopefully we can find out what's causing it.

taavi subscribed.Fri, Mar 13, 10:01 AM
In T419866#11705608, @matmarex wrote:

Hopefully we can find out what's causing it.

That specific error is coming from api-gateway, so indeed seems to be related if not the same as T418969.

matmarex added a project: Hackathon-Northwestern-Europe-2026.Fri, Mar 13, 10:10 AM

If it was due to T418969, the rate-limited response body should be a JSON object, so this might be yet another, different rate limit.

daniel added a comment.EditedFri, Mar 13, 10:40 AM

If it was due to T418969, the rate-limited response body should be a JSON object, so this might be yet another, different rate limit.

The Envoy gateway sends a plain text response. This is indeed related. There is a patch up already, but it combines "no rate limit for OPTIONS" with more complex cors related hresponse manipulation. I'll split that out so we can deploy it asap.

See https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1248461/8/charts/api-gateway/lua/restgateway.lua#79

Krinkle moved this task from Proposed Projects to Tinkering in Progress on the Hackathon-Northwestern-Europe-2026 board.Fri, Mar 13, 11:05 AM
gerritbot added a comment.Fri, Mar 13, 11:13 AM

Change #1251289 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] rest-gateway: do not limit pre-flight requests

https://gerrit.wikimedia.org/r/1251289

gerritbot added a project: Patch-For-Review.Fri, Mar 13, 11:13 AM
A_smart_kitten edited projects, added WMF-General-or-Unknown; removed MediaWiki-General.Fri, Mar 13, 11:44 AM
gerritbot added a comment.Fri, Mar 13, 11:49 AM

Change #1251289 merged by jenkins-bot:

[operations/deployment-charts@master] rest-gateway: do not limit pre-flight requests

https://gerrit.wikimedia.org/r/1251289

Clement_Goubert subscribed.Fri, Mar 13, 12:12 PM

We have removed the rate limits on OPTIONS requests and I don't see anymore 429 responses to them in logs. Resolving, please feel free to reopen if the issue presents itself again.

Clement_Goubert closed this task as Resolved.Fri, Mar 13, 12:12 PM
Clement_Goubert claimed this task.
Maintenance_bot removed a project: Patch-For-Review.Fri, Mar 13, 12:31 PM
Multichill moved this task from Tinkering in Progress to Ready for showcase on the Hackathon-Northwestern-Europe-2026 board.Fri, Mar 13, 2:31 PM
sbassett added a project: SecTeam-Processed.Fri, Mar 13, 4:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits