Page MenuHomePhabricator

Add "Access-Control-Allow-Origin: *" HTTP header to read-only API responses
Closed, DuplicatePublic

Description

To allow client-side JavaScript applications to fetch information from MediaWiki APIs, please add the following header to API responses, allowing the response to be read by an application running on a different domain:

Access-Control-Allow-Origin: *

https://www.mediawiki.org/wiki/API:Cross-site_requests

In the current documentation for CORS usage in cross-site requests, it states:

"If the CORS origin check passes, MediaWiki will include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may be sent."

What it should also say -- once this is implemented -- is that if the CORS origin check doesn't pass, MediaWiki will not include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may not be sent, but MediaWiki will still include the Access-Control-Allow-Origin: * header so that unauthenticated requests can be accessed from any origin.

Notes:

Event Timeline

eaton.alf raised the priority of this task from to Needs Triage.
eaton.alf updated the task description. (Show Details)
eaton.alf added a project: MediaWiki-API.
eaton.alf added a subscriber: eaton.alf.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 4 2015, 11:50 AM

I would like to suggest this change to the response headers, but I don't know enough about the rest of the system to know whether it would have unintended side effects.

Anomie added a subscriber: Anomie.Feb 4 2015, 4:13 PM

Opening a duplicate bug because you don't like the closure of your last one isn't the way to go about things. Further comment on the previous bug.