Page MenuHomePhabricator

Cleanup CORS reply by api
Closed, ResolvedPublic

Description

Our CORS replies by the API are not implemented 100% according to the spec. We should do some cleanup.

We handle preflight in includes/api/ApiMain.php on line 381 by always stopping processing if the request is an OPTIONS request.

However, that means, as far as I can tell, that we return the same CORS response headers on the preflight and the actual request (which is not how preflight is intended to be used) and we do not output Access-Control-Allow-Methods which we should output for a 'proper' preflight request.
http://www.html5rocks.com/static/images/cors_server_flowchart.png
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Event Timeline

TheDJ created this task.Dec 4 2014, 10:02 AM
TheDJ raised the priority of this task from to Needs Triage.
TheDJ updated the task description. (Show Details)
TheDJ added a project: MediaWiki-API.
TheDJ changed Security from none to None.
TheDJ added a subscriber: TheDJ.

Change 177545 had a related patch set uploaded (by TheDJ):
[WIP] Only return CORS headers in the response as required

https://gerrit.wikimedia.org/r/177545

Patch-For-Review

TheDJ claimed this task.Dec 5 2014, 11:14 AM
TheDJ triaged this task as Low priority.

Change 177545 merged by jenkins-bot:
Only return CORS headers in the response as required

https://gerrit.wikimedia.org/r/177545

TheDJ closed this task as Resolved.Dec 31 2014, 6:32 PM