Page MenuHomePhabricator

Cleanup CORS reply by api
Closed, ResolvedPublic


Our CORS replies by the API are not implemented 100% according to the spec. We should do some cleanup.

We handle preflight in includes/api/ApiMain.php on line 381 by always stopping processing if the request is an OPTIONS request.

However, that means, as far as I can tell, that we return the same CORS response headers on the preflight and the actual request (which is not how preflight is intended to be used) and we do not output Access-Control-Allow-Methods which we should output for a 'proper' preflight request.

Event Timeline

TheDJ raised the priority of this task from to Needs Triage.
TheDJ updated the task description. (Show Details)
TheDJ added a project: MediaWiki-Action-API.
TheDJ changed Security from none to None.
TheDJ added a subscriber: TheDJ.

Change 177545 had a related patch set uploaded (by TheDJ):
[WIP] Only return CORS headers in the response as required


TheDJ triaged this task as Low priority.

Change 177545 merged by jenkins-bot:
Only return CORS headers in the response as required