Some of us at the hackathon ran into this old bug again: https://phabricator.wikimedia.org/T62835
namely, the MediaWiki API currently completely forbids cross-origin requests in the CORS config except for whitelisting authenticated requests from our own domains, whereas it could also allow non-authenticated cross-origin requests from non-whitelisted domains. This would allow browser-side JavaScript code on other sites (tools, mashups, whatever) to get anonymous data from Wikipedia, Wikidata, etc without resorting to JSONP (an old-school hack whereby JSON data is loaded via a callback in a <script> tag). JSONP is fragile, and is unsafe for other sites to rely on, as it's a potential cross-site scripting vector for them. CORS is pretty mature these days, and should be something we can rely on. I hope. :) -- brion _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
