Page MenuHomePhabricator
Create Task
Maniphest T76701

Cleanup CORS reply by api
Closed, ResolvedPublic
Actions

Description

Our CORS replies by the API are not implemented 100% according to the spec. We should do some cleanup.

We handle preflight in includes/api/ApiMain.php on line 381 by always stopping processing if the request is an OPTIONS request.

However, that means, as far as I can tell, that we return the same CORS response headers on the preflight and the actual request (which is not how preflight is intended to be used) and we do not output Access-Control-Allow-Methods which we should output for a 'proper' preflight request.
http://www.html5rocks.com/static/images/cors_server_flowchart.png
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Details

SubjectRepoBranchLines +/-
Only return CORS headers in the response as requiredmediawiki/coremaster+68 -5
Customize query in gerrit

Related Objects

Event Timeline

TheDJ created this task.Dec 4 2014, 10:02 AM
TheDJ raised the priority of this task from to Needs Triage.
TheDJ updated the task description. (Show Details)
TheDJ added a project: MediaWiki-Action-API.
TheDJ changed Security from none to None.
TheDJ subscribed.
gerritbot added a project: Patch-For-Review.Dec 4 2014, 2:52 PM

Change 177545 had a related patch set uploaded (by TheDJ):
[WIP] Only return CORS headers in the response as required

https://gerrit.wikimedia.org/r/177545

Patch-For-Review

TheDJ claimed this task.Dec 5 2014, 11:14 AM
TheDJ triaged this task as Low priority.
gerritbot added a comment.Dec 31 2014, 6:05 PM

Change 177545 merged by jenkins-bot:
Only return CORS headers in the response as required

https://gerrit.wikimedia.org/r/177545

TheDJ mentioned this in rMW3eacf0349fe7: Only return CORS headers in the response as required.Dec 31 2014, 6:32 PM
TheDJ closed this task as Resolved.Dec 31 2014, 6:32 PM
RandomDSdevel awarded a token.Jan 12 2015, 11:23 PM
DannyS712 mentioned this in T269636: Add `Access-Control-Max-Age` to `$wgAllowedCorsHeaders`.Dec 7 2020, 11:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits