[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Krinkle krinklem...@gmail.com changed: What|Removed |Added CC||krinklem...@gmail.com --- Comment #16 from Krinkle krinklem...@gmail.com 2011-12-29 11:25:26 UTC --- (In reply to comment #14) The catch here is in the definition of credentialed request. We don't want this to mean any request that passes a cookie because that would be excessive; rather, we want this to mean any request that would actually use the cookie information, i.e. requests with user-specific or privileged things. Makes sense. Although it might get a bit complicated when put into perspective of the CORS point of view. So from the browser perspective, for requests that are NOT credentialed the browser will not send cookies that it has stored for that domain/path, meaning that the API will not receive them and user is treated as logged-out user. So it looks like this looks good for us on both sides (we can't cache user-specific stuff, user-specific stuff should be in a credentialed request, CORS specification / browsers make it impossible for non credentialed requests to be user specific anyway. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Krinkle krinklem...@gmail.com changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Comment #17 from Krinkle krinklem...@gmail.com 2011-12-29 13:09:17 UTC --- by the way, before we get things mixed up: * MediaWiki supports this already and has for over a year now. So I'm marking this bug fixed. * Then, to have it enabled for Wikimedia sites is bug 20814 * That wasn't done yet due to cache restrictions, so the second request is to make this even better and be compatible in a special with with WMF's cache infrastructure. That feature request was logged a while ago under bug 30881. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 --- Comment #15 from Tisza Gergő gti...@gmail.com 2011-12-21 17:37:37 UTC --- Normally, only credentialed requests pass cookies. When a client tries to send a credentialed requests, the browser will send a preflight request first (an OPTIONS request with some CORS-specific headers like Origin), and only sends the request (with cookies) if the Allow-Origin and Allow-Credentials response headers are OK. Uncredentialed requests are transmitted without cookies ( http://www.w3.org/TR/cors/#make-a-request-steps - ...and include user credentials if the credentials flag is true. Though apparently not all implementations honor this: http://stackoverflow.com/questions/6096919/android-credentials-always-sent-with-cors-requests ). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Roan Kattouw roan.katt...@gmail.com changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED | --- Comment #14 from Roan Kattouw roan.katt...@gmail.com 2011-12-20 14:40:50 UTC --- (In reply to comment #13) Roan, is your comment 12 something you will be able to get to, or should I start a new bug for it? I'm sorry for the delay, thank you for reminding me. There were serious issues with the implementation, mostly regarding caching. Those issues would have to be addressed in MediaWiki before CORS can be enabled for the API. The root of the caching issue is comment #7: the Access-Control-Allow-Origin header we send back contains the origin domain of the foreign request, and if that header gets cached, we're screwed. Fortunately, there's a way around this if I'm reading this correctly. For non-credentialed requests, we can send Allow-Origin: * . For credentialed requests, we have to send Allow-Origin: $ORIGIN and Allow-Credentials: true , but we can just set a no caching header for those, as credentialed requests aren't supposed to be cached anyway. The catch here is in the definition of credentialed request. We don't want this to mean any request that passes a cookie because that would be excessive; rather, we want this to mean any request that would actually use the cookie information, i.e. requests with user-specific or privileged things. Maybe we can tie this to the cache mode? This is interesting stuff and I have new inspiration for it now :) , so I'll poke at it today or tomorrow. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 --- Comment #13 from Brett Zamir bret...@yahoo.com 2011-12-20 04:30:22 UTC --- Roan, is your comment 12 something you will be able to get to, or should I start a new bug for it? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Krinkle krinklem...@gmail.com changed: What|Removed |Added Keywords|need-review, patch | -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 --- Comment #12 from Roan Kattouw roan.katt...@gmail.com 2011-04-27 12:57:04 UTC --- (In reply to comment #11) I understand from https://bugzilla.wikimedia.org/show_bug.cgi?id=28700#c4 that CORS, though implemented, is not configured. Can I ask what the hold-up here is? Was the code accepted simply to be available to other Mediawiki installations, or is it planned for the Wikimedia sites after some condition is met? It was planned to be enabled at WMF, but no one ever got to it. I'll probably set it up tomorrow. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Brett Zamir bret...@yahoo.com changed: What|Removed |Added CC||bret...@yahoo.com --- Comment #11 from Brett Zamir bret...@yahoo.com 2011-04-27 02:02:28 UTC --- I understand from https://bugzilla.wikimedia.org/show_bug.cgi?id=28700#c4 that CORS, though implemented, is not configured. Can I ask what the hold-up here is? Was the code accepted simply to be available to other Mediawiki installations, or is it planned for the Wikimedia sites after some condition is met? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Cacycle oq9psc...@sneakemail.com changed: What|Removed |Added CC||oq9psc...@sneakemail.com --- Comment #9 from Cacycle oq9psc...@sneakemail.com 2009-08-04 01:02:26 UTC --- It would be great if the toolserver could be whitelisted on Wikipedia. I am planning a userscript/gadget that would use Diberri's Template Filler http://toolserver.org/~diberri/cgi-bin/templatefiller. Due to cross-site scripting limitations this is currently not possible. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 --- Comment #10 from Mike.lifeguard mike.lifegu...@gmail.com 2009-08-04 01:05:32 UTC --- (In reply to comment #9) It would be great if the toolserver could be whitelisted on Wikipedia. I am planning a userscript/gadget that would use Diberri's Template Filler http://toolserver.org/~diberri/cgi-bin/templatefiller. Due to cross-site scripting limitations this is currently not possible. That should be made as a site request after this feature goes live. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 --- Comment #6 from Roan Kattouw roan.katt...@gmail.com 2009-07-31 10:19:59 UTC --- (In reply to comment #4) Created an attachment (id=6407) -- (https://bugzilla.wikimedia.org/attachment.cgi?id=6407) [details] Patch against r54044 Patch to add support for Access-Control-Allow-Origin in api.php This also uses the Access-Control-Allow-Credentials header, which I believe is required for anything that requires cookies. A break; statement should be added after the second header() call in the foreach(). Other than that, this patch looks good. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 --- Comment #7 from Roan Kattouw roan.katt...@gmail.com 2009-07-31 11:07:43 UTC --- Note that in the case of credentialed requests, the Access-Control-Allow-Origin: header must not have a wildcard value of *. It must mention a valid origin domain. This means that even if $wgCrossSiteAJAXdomains is set to '*', we have to output the origin domain instead of '*' in the header. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Alex Z. mrzmanw...@gmail.com changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #8 from Alex Z. mrzmanw...@gmail.com 2009-07-31 21:57:40 UTC --- Done in r54127 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 --- Comment #4 from Alex Z. mrzmanw...@gmail.com 2009-07-30 23:59:00 UTC --- Created an attachment (id=6407) -- (https://bugzilla.wikimedia.org/attachment.cgi?id=6407) Patch against r54044 Patch to add support for Access-Control-Allow-Origin in api.php This also uses the Access-Control-Allow-Credentials header, which I believe is required for anything that requires cookies. I can't really test this on a localhost test wiki, so would appreciate some review. Should we only allow this for the API, or should we do this for any entry point? For reference: http://dev.w3.org/2006/waf/access-control/ -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 --- Comment #5 from Derk-Jan Hartman hart...@videolan.org 2009-07-31 00:35:23 UTC --- Another place where this might be useful, if not now then in future browser versions, is likely cross wikimedia project login for people with strict security settings for cookies. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Roan Kattouw roan.katt...@gmail.com changed: What|Removed |Added CC||roan.katt...@gmail.com --- Comment #1 from Roan Kattouw roan.katt...@gmail.com 2009-07-25 17:49:03 UTC --- Could you be more clear as to what exactly should be changed? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Derk-Jan Hartman hart...@videolan.org changed: What|Removed |Added CC||hart...@videolan.org --- Comment #2 from Derk-Jan Hartman hart...@videolan.org 2009-07-25 19:07:04 UTC --- There is some more discussion about the Access-Control-Allow-Origin header here: https://developer.mozilla.org/En/HTTP_Access_Control -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 19907] Cross-domain AJAX request support
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907 Alex Z. mrzmanw...@gmail.com changed: What|Removed |Added CC||mrzmanw...@gmail.com --- Comment #3 from Alex Z. mrzmanw...@gmail.com 2009-07-25 21:20:32 UTC --- I imagine this would be controlled by a configuration variable, something like $wgCrossSiteAJAXdomains containing an array of domains allowed to make cross-site AJAX requests to the API by the Access-Control-Allow-Origin header. https://developer.mozilla.org/En/Server-Side_Access_Control gives some PHP examples of implementations. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
