Mar 17 2015
Mar 16 2015
I've run into this today. I inferred from the documentation on MediaWiki I would get Access-Control-Allow-Origin: <value of origin header> since allowing all domains seems like a reasonably sensible option when doing GET queries, but, as discussed here I didn't. If we are really at the stage of not trusting the browsers to implement the standard correctly (as far as I know they all do), it would be possible to reject requests with the Cookie header sent.