Change Details

**Steps to Reproduce** # Use the #mediawiki-rest-api to make a `POST`, `PUT`, or `DELETE` request without a `token` parameter **Actual Results** The API will respond with a `400` error: > The "token" parameter must be set. **Expected Results** Since the REST API requires a `Content-Type: application/json` it is impossible to make a cross-site request forgery since the custom [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type | Content-Type ]] header forces the request to be a [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests | non-simple request ]]. Since the request is non-simple, the browser will issue a [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests | preflight request ]] and ask the server if it should send the user's session Cookies or not. Since the server never responds with `Access-Controll-Allow-Credentials` the browser will never send the user's session cookie. **Proposed Solution** Remove the CSRF token requirement from the REST API and deprecate the endpoint to retrieve the tokens.

**Steps to Reproduce** # Use the #mediawiki-rest-api to make a `POST`, `PUT`, or `DELETE` request without a `token` parameter **Actual Results** The API will respond with a `400` error: > The "token" parameter must be set. **Expected Results** Since the REST API requires a `Content-Type: application/json` it is impossible to make a cross-site request forgery since the custom [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type | Content-Type ]] header forces the request to be a [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests | non-simple request ]]. Since the request is non-simple, the browser will issue a [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests | preflight request ]] and ask the server if it should send the user's session Cookies or not. Since the server never responds with `Access-Control-Allow-Credentials` the browser will never send the user's session cookie. **Proposed Solution** Remove the CSRF token requirement from the REST API and deprecate the endpoint to retrieve the tokens.

**Steps to Reproduce** # Use the #mediawiki-rest-api to make a `POST`, `PUT`, or `DELETE` request without a `token` parameter **Actual Results** The API will respond with a `400` error: > The "token" parameter must be set. **Expected Results** Since the REST API requires a `Content-Type: application/json` it is impossible to make a cross-site request forgery since the custom [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type | Content-Type ]] header forces the request to be a [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests | non-simple request ]]. Since the request is non-simple, the browser will issue a [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests | preflight request ]] and ask the server if it should send the user's session Cookies or not. Since the server never responds with `Access-Controll-Allow-Credentials` the browser will never send the user's session cookie. **Proposed Solution** Remove the CSRF token requirement from the REST API and deprecate the endpoint to retrieve the tokens.