Somewhat related: https://phabricator.wikimedia.org/T210790
On Mon, May 6, 2019 at 9:05 AM Brad Jorsch (Anomie) <[email protected]> wrote: > On Mon, May 6, 2019 at 7:14 AM Egbe Eugene <[email protected]> wrote: > > > After looking at [1]Manual:CORS and trying to perform a request with > JQuery > > from an external application, I still get the error message saying > "Request > > from origin has been blocked by CORS policy: No > > 'Access-Control-Allow-Origin' header is present on the requested > resource. > > > > This is from a simple GET request to get imageinfo from Commons. > > > > Without seeing the actual code you tried, I can only guess. > > If you set the `origin` parameter to match the Origin header a browser > sends from your external site, and your external site is not listed in > $wgCrossSiteAJAXdomains,[1][2] the attempt to use CORS will be rejected. If > you inspect the response received, you should see a header > "MediaWiki-CORS-Rejection: Origin mismatch". > > If you didn't set the `origin` parameter to so match, but just copied the > example at Manual:CORS, you should have received an HTTP 403 with a message > "'origin' parameter does not match Origin header". > > If you set the `origin` parameter to "*" (that's the single character > U+002A) and set withCredentials = false in jQuery's xhrFields, it should > work from any remote site. But since cookies are neither being sent nor > used, the response will be served to you as an IP user. The code for that > could look something like this: > > $.ajax( { > url: 'https://en.wikipedia.org/w/api.php', > data: { > action: 'query', > meta: 'userinfo', > format: 'json', > origin: '*' > }, > xhrFields: { > withCredentials: false > }, > dataType: 'json' > } ).done( function ( data ) { > console.log( 'Foreign user ' + data.query.userinfo.name + ' (ID ' + > data > .query.userinfo.id + ')' ); > } ); > > It looks like https://www.mediawiki.org/wiki/Manual:CORS could use > updating > to include the origin=* option, and perhaps to make it clearer that > logged-in accesses only work from whitelisted sites. > > [1]: Docs: https://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains > [2]: Config: > > https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/6cdae859db1611ffba7f6507faf8c54c6d38d217/wmf-config/CommonSettings.php#631 > > -- > Brad Jorsch (Anomie) > Senior Software Engineer > Wikimedia Foundation > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
