Reimplement CORS properly, addressing Tim's concerns
Tim's concerns (listed at
https://bugzilla.wikimedia.org/show_bug.cgi?id=20814#c6) were:
* Lack of Vary: Origin breaks Squid caching
* Vary: Origin on everything would be disastrous, so add an origin param
* Origin header is space-separated list, wasn't treated as such
This commit:
* Remove CORS code from api.php and reimplement it in ApiMain.php
* Add 'origin' parameter to ApiMain
* If 'origin' parameter doesn't match Origin header, send a 403
* If origin is whitelisted, set CORS headers and set Vary: Origin
* Add https?:// to wildcard matching logic, wasn't there but is needed
CORS now works :) you can test it locally as follows:
Set $wgCrossSiteAJAXdomains[] = '*.wikipedia.org';
Log into MediaWiki on localhost
Go to Wikipedia, open a JS console, and run:
$.ajax( {
'url': 'http://localhost/w/api.php',
'data': {
'action': 'query',
'meta': 'userinfo',
'format': 'json',
'origin': 'https://en.wikipedia.org'
// or whichever domain you're on; must be correct!
},
'xhrFields': {
'withCredentials': true
},
'success': function( data ) {
alert( 'Foreign user ' + data.query.userinfo.name +
' (ID ' + data.query.userinfo.id + ')' );
}
} );
Change-Id: I725ce176866d7c81dd9ad6d7bc4a86b7160f2458
dépôts / lhc / web / wiklou.git / commit