From d40cb987989069328983392ba2b1ff857811211e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bartosz=20Dziewo=C5=84ski?= Date: Sat, 10 Sep 2016 21:01:26 +0200 Subject: [PATCH] mw.ForeignApi: Allow anonymous requests When 'anonymous: true' is passed: * Send 'origin=*' in the query parameters, so that MediaWiki treats the request as anonymous (same as for JSONP requests). * Set 'withCredentials: false' in AJAX options, so that the browser doesn't try to send cookies and accepts the response with the 'Access-Control-Allow-Origin: *' header. Bug: T145294 Change-Id: Ic93d733cb9e1b1d7301f8975c68ab7ded778845a --- resources/src/mediawiki/ForeignApi.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/resources/src/mediawiki/ForeignApi.js b/resources/src/mediawiki/ForeignApi.js index 899daa57a4..f51403fd39 100644 --- a/resources/src/mediawiki/ForeignApi.js +++ b/resources/src/mediawiki/ForeignApi.js @@ -35,6 +35,9 @@ * @constructor * @param {string|mw.Uri} url URL pointing to another wiki's `api.php` endpoint. * @param {Object} [options] See mw.Api. + * @param {Object} [options.anonymous=false] Perform all requests anonymously. Use this option if + * the target wiki may otherwise not accept cross-origin requests, or if you don't need to + * perform write actions or read restricted information and want to avoid the overhead. * * @author Bartosz Dziewoński * @author Jon Robson @@ -45,13 +48,14 @@ } this.apiUrl = String( url ); + this.anonymous = options && options.anonymous; options = $.extend( /*deep=*/ true, { ajax: { url: this.apiUrl, xhrFields: { - withCredentials: true + withCredentials: this.anonymous ? false : true } }, parameters: { @@ -76,7 +80,11 @@ * @return {string} */ CoreForeignApi.prototype.getOrigin = function () { - var origin = location.protocol + '//' + location.hostname; + var origin; + if ( this.anonymous ) { + return '*'; + } + origin = location.protocol + '//' + location.hostname; if ( location.port ) { origin += ':' + location.port; } -- 2.20.1