To allow client-side JavaScript applications to fetch information from MediaWiki APIs, please add the following header to API responses, allowing the response to be read by an application running on a different domain:
Access-Control-Allow-Origin: *
========
https://www.mediawiki.org/wiki/API:Cross-site_requests
In the current documentation for CORS usage in cross-site requests, it states:
"If the CORS origin check passes, MediaWiki will include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may be sent."
What it should also say -- once this is implemented -- is that if the CORS origin check **doesn't** pass, MediaWiki will **not** include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may **not** be sent, but MediaWiki will still include the Access-Control-Allow-Origin: * header so that **unauthenticated** requests can be accessed from any origin.
========
Notes:
- JSONP, which is currently enabled, is an old, less secure workaround for the problem that CORS now solves correctly.
- [[ https://phabricator.wikimedia.org/T62835 | A previous request, that was declined for invalid reasons. ]]
- [[ https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/API_Future/CORS_and_third-party_web_apps | A related API roadmap discussion ]]
- Users trying to access a MediaWiki API and expecting CORS to be enabled: [[ https://stackoverflow.com/questions/3873636/no-response-from-mediawiki-api-using-jquery | 1 ]], [[ https://stackoverflow.com/questions/23952045/wikipedia-api-cross-origin-requests | 2 ]]