Legoktm added a comment.
When WDQS first launched, we intentionally removed it from the CORS whitelist
(previously *.wikidata.org was whitelisted IIRC) as a security hardening
measure.
I would suggest that WDQS plan to shorten URLs anonymously. Since it's
happening client-side (AIUI),
Lucas_Werkmeister_WMDE added a comment.
`origin=*` makes the request anonymous. Apparently anonymous users are
allowed to shorten URLs (subject to a rate limit), but I think it would be
nicer to tie the URLs to the user if they’re logged in.
(I’m also surprised at the lack of a CSRF
Bawolff added a comment.
Reading https://meta.wikimedia.org/w/api.php?action=help=shortenurl -
doesn't seem to require a CSRF token, so I'm not sure that CORS is needed here?
(more specifically, you can use the generic origin=* I think).
Although query.wikidata.org is fairly trusted,