#### Origin
The [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] response header should be set for all requests and given a default value of `*`. for wikis that are not on an intranet (i.e. behind a firewall). It is [[ https://annevankesteren.nl/2012/12/cors-101 | completely safe ]] to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet.
Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically.
**Proposed Solution**
Add `Access-Control-Allow-Origin: *` to all requests (config option to disable)
#### Credentials
If the API allows for authorization with the [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]] (or some other authorization mechanism that and does not force the client app to expose it's own secrets), then it is safe to add [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers | Access-Control-Allow-Headers ]] with a value of `Authorization` (this header only needs to be added as as response to an `OPTIONS` request). This would allow non-whitelisted origins to make cross-origin authenticated requests.
If the API allows for browser-based authorization (i.e. Cookies) then the API will need to use the origin whitelist like the Action API does and add the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials | Access-Control-Allow-Credentials ]] to an `OPTIONS` request from those whitelisted origins.
Regardless, since `Authorization` and `Cookie` headers bypass the cache, it is not necessary to vary a request by `Origin`.
**Proposed Solution**
# Allow OAuth2's [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]]
# Add `Access-Control-Allow-Headers: Authorization` to all `OPTIONS` requests
# Add `Access-Control-Allow-Methods: HEAD, GET` (and any other methods supported by the REST API) to all `OPTIONS` requests
---OR---
# Use the existing origin allowlist and only do the following actions from one of those `Origins`:
# Add `Access-Control-Allow-Origin: <Origin Requested>` to all `OPTIONS` requests
# Add `Vary: Origin` to all `OPTIONS` requests
# Add `Access-Control-Allow-Credentials: true` to all `OPTIONS` requests
# Add `Access-Control-Allow-Methods: HEAD, GET` (and any other methods supported by the REST API) to all `OPTIONS` requests
==== Related
* {T210790}
* {T256535}