From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 3 Apr 2013 16:09:12 +0000 (-0400)
Subject: Improve API 'origin' parameter description
X-Git-Tag: 1.31.0-rc.0~20121
X-Git-Url: http://git.cyclocoop.org/%22.%24h.%22?a=commitdiff_plain;h=cdb562b09e654d1b06474a7d7c39d8f239b719ea;p=lhc%2Fweb%2Fwiklou.git

Improve API 'origin' parameter description

When making CORS pre-flight requests, the origin parameter must still be
included. This means that it cannot be in the POST body, as that is not
sent for pre-flight.

Document that.

Change-Id: I3fc809cf2e4ca9c2566f62d32f96d24377c72863
---

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index a6813e324f..abd47b20eb 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -1048,6 +1048,7 @@ class ApiMain extends ApiBase {
 			'servedby' => 'Include the hostname that served the request in the results. Unconditionally shown on error',
 			'origin' => array(
 				'When accessing the API using a cross-domain AJAX request (CORS), set this to the originating domain.',
+				'This must be included in any pre-flight request, and therefore must be part of the request URI (not the POST body).',
 				'This must match one of the origins in the Origin: header exactly, so it has to be set to something like http://en.wikipedia.org or https://meta.wikimedia.org .',
 				'If this parameter does not match the Origin: header, a 403 response will be returned.',
 				'If this parameter matches the Origin: header and the origin is whitelisted, an Access-Control-Allow-Origin header will be set.',