#### Origin
The [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] response header should be set for all requests and given a default value of `*`. for wikis that are not on an intranet (i.e. behind a firewall). It is [[ https://annevankesteren.nl/2012/12/cors-101 | completely safe ]] to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet.
Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically.
**Proposed Solution**
Add `Access-Control-Allow-Origin: *` to all requests (config option to disable)
#### Credentials
If the API allows for authorization with the [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]] (or some other authorization mechanism that and does not force the client app to expose it's own secrets), then it is safe to add [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers | Access-Control-Allow-Headers ]] with a value of `Authorization` (this header only needs to be added as as response to an `OPTIONS` request). This would allow non-whitelisted origins to make cross-origin authenticated requests.
If the API allows for browser-based authorization (i.e. Cookies) then the API will need to use the origin allowlist like the Action API does and add the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials | Access-Control-Allow-Credentials ]] to an `OPTIONS` request from those whitelisted origins.
Regardless, since `Authorization` and `Cookie` headers bypass the cache, it is not necessary to Vary the non-OPTIONS request by `Origin`.
**Proposed Solution 1**
Allow cross-origin requests using OAuth (requires OAuth2's [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]]):
# Add `Access-Control-Allow-Origin: *` to all `OPTIONS` requests
# Add `Access-Control-Allow-Headers: Authorization, Content-Type` to all `OPTIONS` requests
# Add `Access-Control-Allow-Methods: *` to all `OPTIONS` requests
**Proposed Solution 2**
Allow cross-origin requests using Cookies:
# Add `Vary: Origin` to **all** requests (Alternatively, could add an `origin` query parameter like the Action API does)
# Use the [[ https://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains | existing origin allowlist ]] and only do the following actions from one of those `Origins`:
# Add `Access-Control-Allow-Credentials: true` to **all** requests
# Add `Access-Control-Allow-Origin: <Origin Requested>` to **all** requests
# Add `Access-Control-Allow-Headers: Content-Type` to all `OPTIONS` requests
# Add `Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE` to all `OPTIONS` requests
**Proposed Solution 3**
Allow cross-origin requests with OAuth2 (requires OAuth2's [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]]) **and** Cookies:
# Add `Access-Control-Allow-Headers: Authorization, Content-Type` to all `OPTIONS` requests
# Add `Vary: Origin` to **all** requests (Alternatively, could add an `origin` query parameter like the Action API does)
# Use the [[ https://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains | existing origin allowlist ]] and only do the following actions from one of those `Origins`:
# Add `Access-Control-Allow-Origin: <Origin Requested>` to **all** requests
# Add `Access-Control-Allow-Credentials: true` to **all** requests
# Add `Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE` to all `OPTIONS` requests
# If the origin is **not** on the allowlist:
# Add `Access-Control-Allow-Origin: *` to **all** requests
# Add `Access-Control-Allow-Methods: *` to all `OPTIONS` requests
==== Related
* {T210790}
* {T256535}