Change Details

**Origin** The [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] response header should be set for all requests and given a default value of `*`. for wikis that are not on an intranet (i.e. behind a firewall). It is [[ https://annevankesteren.nl/2012/12/cors-101 | completely safe ]] to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet. Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically. Related: T210790 **Credentials** If the API allows for authorization with the [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]] (or some other authorization mechanism that is //stateless// and does not force the client app to expose it's own secrets), then it is safe to add [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials | Access-Control-Allow-Credentials ]]. However, if the user adds the credentials the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] will need to be specific to the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin | Origin ]] requested. Since credentialed requests are not cached anyways, this shouldn't be a problem.

**Origin** The [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] response header should be set for all requests and given a default value of `*`. for wikis that are not on an intranet (i.e. behind a firewall). It is [[ https://annevankesteren.nl/2012/12/cors-101 | completely safe ]] to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet. Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically. Related: T210790 **Credentials** If the API allows for authorization with the [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]] (or some other authorization mechanism that and does not force the client app to expose it's own secrets), then it is safe to add [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials | Access-Control-Allow-Credentials ]]. However, if the user adds the credentials the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] will need to be specific to the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin | Origin ]] requested. Since credentialed requests are not cached anyways, this shouldn't be a problem.

**Origin** The [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] response header should be set for all requests and given a default value of `*`. for wikis that are not on an intranet (i.e. behind a firewall). It is [[ https://annevankesteren.nl/2012/12/cors-101 | completely safe ]] to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet. Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically. Related: T210790 **Credentials** If the API allows for authorization with the [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]] (or some other authorization mechanism that is //stateless// and does not force the client app to expose it's own secrets), then it is safe to add [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials | Access-Control-Allow-Credentials ]]. However, if the user adds the credentials the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] will need to be specific to the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin | Origin ]] requested. Since credentialed requests are not cached anyways, this shouldn't be a problem.