https://bugzilla.wikimedia.org/show_bug.cgi?id=60835
--- Comment #7 from Dereckson ---
For information, on every public wikis hosted in the WMF cluster,
$wgCrossSiteAJAXdomains contains the following domains:
'*.wikipedia.org',
'*.wikinews.org',
'*.wiktionary.org',
https://bugzilla.wikimedia.org/show_bug.cgi?id=60835
--- Comment #6 from eaton@gmail.com ---
I've set up a demonstration which shows that cross-domain requests are
forbidden from using withCredentials=true when Access-Control-Allow-Origin is
set to "*".
This page sets a cookie for the subdoma
https://bugzilla.wikimedia.org/show_bug.cgi?id=60835
--- Comment #5 from eaton@gmail.com ---
The thing is, cross-domain XMLHttpRequests that receive
"Access-Control-Allow-Origin: *" responses are not allowed[1] to contain
authentication information (cookies or HTTP authentication), so they're
https://bugzilla.wikimedia.org/show_bug.cgi?id=60835
Chris Steipp changed:
What|Removed |Added
Status|UNCONFIRMED |RESOLVED
Resolution|---
https://bugzilla.wikimedia.org/show_bug.cgi?id=60835
Brad Jorsch changed:
What|Removed |Added
CC||cste...@wikimedia.org
--- Comment #3 fro
https://bugzilla.wikimedia.org/show_bug.cgi?id=60835
--- Comment #2 from eaton@gmail.com ---
Yes - the existing support for CORS headers requires that requests have an
'origin' parameter which matches the 'Origin' header and is one of the
whitelisted MediaWiki domains.
--
You are receiving t
https://bugzilla.wikimedia.org/show_bug.cgi?id=60835
Andre Klapper changed:
What|Removed |Added
CC||bjor...@wikimedia.org
Summa