Page MenuHomeMiraheze

API Requests to Wikibase Repositories are blocked
Open, NormalPublic


If you click the "Add interlanguage links" button on wikis using the WikibaseClient extension, there is an error shown in the UI that simply says "." and the following error appears in the console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at<REDACTED>&meta=userinfo. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.


Event Timeline

Redmin triaged this task as Normal priority.Oct 8 2023, 08:54
Redmin created this task.

"CORS header ‘Access-Control-Allow-Origin’ missing", huh? We could do like on and just return the wildcard on requests to wikis to fix this, unless someone wants to try the fancier method varying the origin depending on the clientside "Host" header.

OrangeStar removed OrangeStar as the assignee of this task.EditedOct 29 2023, 18:22

Hmmm, maybe setting the wildcard is not such a good idea:

Warning: Using the wildcard to allow all sites to access a private API is a bad idea.

To allow any site to make CORS requests without using the * wildcard (for example, to enable credentials), your server must read the value of the request's Origin header and use that value to set Access-Control-Allow-Origin, and must also set a Vary: Origin header to indicate that some headers are being set dynamically depending on the origin.

So, if I understand this correctly, the browser will NOT send cookies ( if the wildcard is returned, so MediaWiki will not know it is you making these requests. This will break the first request in this task, where it is retrieving API tokens on snapdatawiki, I think.

The proper way forward would seem to be checking the origin and varying Access-Control-Allow-Origin depending on that. Just setting it to the same value as the clientside Origin header seems... unsafe, somehow? It's effectively the same as just the wildcard.

So, in an ideal world, in Varnish, we would return the Access-Control-Allow-Origin header on requests to the Action API that would be equal to the Origin header after checking it against an array of hostnames pointing to miraheze wikis. This is not possible cause of custom domains, I think? Since Varnish doesn't seem to be aware of all the possible custom domains we can serve.

This may be all wrong, but since I don't know enough about all the implications of this, I'm not comfortable working on this task for now.

(Note to self: This is what CORS is about ->