[Bug 20814] Enable $wgCrossSiteAJAXdomains for wikimedia sites

Mon, 09 May 2011 17:33:21 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=20814

Tim Starling <tstarl...@wikimedia.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tstarl...@wikimedia.org

--- Comment #6 from Tim Starling <tstarl...@wikimedia.org> 2011-05-10 00:33:14 
UTC ---
This would break squid caching. I don't see a "Vary: Origin" header, so
whichever subdomain requests a given cacheable object first will have an
Access-Control-Allow-Origin header sent back with the origin subdomain in it.
The header will be cached, so subsequent requests from different domains will
be denied by the client.

Vary:Origin would be a disaster for caching anyway, since there's hundreds of
internal domains, and external domains could potentially send this header also.

As for the code in api.php: the Origin header is a whitespace-separated list of
origins. Running an unanchored case-sensitive regex against the whole string is
not appropriate. Section 5.1 of the July 2010 CORS spec gives the correct
algorithm:

http://www.w3.org/TR/2010/WD-cors-20100727/#resource-requests

One possible way to support CORS would be to require that the origin be
specified in a URL parameter. If the URL parameter matches the Origin header,
then the access control header can be sent with Vary: Origin. If it doesn't
match, a 403 can be sent with CC: no-cache. If the URL parameter is missing, no
Vary header or access control header is sent. This means that caching will only
be broken to the extent necessary to support the feature.

Another way to do it would be to implement the whole feature in Squid. A custom
response header from MediaWiki, similar to X-Vary-Options, would specify the
complete list of allowable domains. Then Squid would handle setting the correct
access control headers in a post-cache step.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to