Steps to reproduce:
- Go to https://de.wikipedia.org
- Execute the following code:
var xhr = new XMLHttpRequest();
xhr.upload.addEventListener('progress', function () {}, false);
xhr.withCredentials = true;
xhr.open('GET', 'https://commons.wikimedia.org/w/api.php?action=tokens&type=edit&origin=https://de.wikipedia.org&format=json', true);
xhr.onreadystatechange = function() {
console.log(xhr.responseText);
}
xhr.send();
This sends a request using the OPTIONS method with header
Access-Control-Request-Method: GET
This is correct according to the specs as I just learned:
http://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html -> set force preflight flag
http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-preflight-requests
The server answers with
HTTP/1.1 403 Forbidden
with a header
X-Squid-Error: ERR_ACCESS_DENIED 0
Version: wmf-deployment
Severity: minor
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=44921