https://bugzilla.wikimedia.org/show_bug.cgi?id=20814
--- Comment #28 from Roan Kattouw <[email protected]> 2012-09-07 16:18:56 UTC --- (In reply to comment #27) > Sorry to be so clueless here and not noticing the original comment about > this--but what is the harm in providing some read-only access to other > domains? > JSONP is already exposed, so why is this not being exposed openly? JSONP is exposed, but locked down, and uses the browser's same-origin policy as part of the protection against CSRF. It would probably be possible to implement read-only CORS from non-Wikimedia domains, but that would be scary, easy to get wrong, and would remove a layer of protection that we currently have. For the list of whitelisted origin domains (i.e. the list of domains from which you can make cross-domain AJAX requests to a WMF wiki), see https://gerrit.wikimedia.org/r/gitweb?p=operations/mediawiki-config.git;a=blob;f=wmf-config/CommonSettings.php;h=8a8952eeeb75a6a4b7133abc8a3c536d8ba24141;hb=HEAD#l764 . All wikis accept these cross-domain requests, except private wikis (i.e. wikis where people without accounts cannot read pages). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
