Improve API 'origin' parameter description

When making CORS pre-flight requests, the origin parameter must still be
included. This means that it cannot be in the POST body, as that is not
sent for pre-flight.

Document that.

Change-Id: I3fc809cf2e4ca9c2566f62d32f96d24377c72863

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index a6813e3..abd47b2 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -1048,6 +1048,7 @@ class ApiMain extends ApiBase {
                        'servedby' => 'Include the hostname that served the request in the results. Unconditionally shown on error',
                        'origin' => array(
                                'When accessing the API using a cross-domain AJAX request (CORS), set this to the originating domain.',
+                               'This must be included in any pre-flight request, and therefore must be part of the request URI (not the POST body).',
                                'This must match one of the origins in the Origin: header exactly, so it has to be set to something like http://en.wikipedia.org or https://meta.wikimedia.org .',
                                'If this parameter does not match the Origin: header, a 403 response will be returned.',
                                'If this parameter matches the Origin: header and the origin is whitelisted, an Access-Control-Allow-Origin header will be set.',