https://bugzilla.wikimedia.org/show_bug.cgi?id=20814
Tim Starling <tstarl...@wikimedia.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tstarl...@wikimedia.org --- Comment #6 from Tim Starling <tstarl...@wikimedia.org> 2011-05-10 00:33:14 UTC --- This would break squid caching. I don't see a "Vary: Origin" header, so whichever subdomain requests a given cacheable object first will have an Access-Control-Allow-Origin header sent back with the origin subdomain in it. The header will be cached, so subsequent requests from different domains will be denied by the client. Vary:Origin would be a disaster for caching anyway, since there's hundreds of internal domains, and external domains could potentially send this header also. As for the code in api.php: the Origin header is a whitespace-separated list of origins. Running an unanchored case-sensitive regex against the whole string is not appropriate. Section 5.1 of the July 2010 CORS spec gives the correct algorithm: http://www.w3.org/TR/2010/WD-cors-20100727/#resource-requests One possible way to support CORS would be to require that the origin be specified in a URL parameter. If the URL parameter matches the Origin header, then the access control header can be sent with Vary: Origin. If it doesn't match, a 403 can be sent with CC: no-cache. If the URL parameter is missing, no Vary header or access control header is sent. This means that caching will only be broken to the extent necessary to support the feature. Another way to do it would be to implement the whole feature in Squid. A custom response header from MediaWiki, similar to X-Vary-Options, would specify the complete list of allowable domains. Then Squid would handle setting the correct access control headers in a post-cache step. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l