https://bugzilla.wikimedia.org/show_bug.cgi?id=20814
--- Comment #33 from Krinkle <[email protected]> 2012-09-18 13:38:29 UTC --- (In reply to comment #32) > @Krinkle: Thanks, but it would really be nice to have the error checking of > CORS. I presume Roan knows what he is talking about, but if it is true what > you > say that the "API automatically puts itself in read-only anonymous user mode > when accessing it through JSONP", then wouldn't this mode just need to be > switched on in the case of cross-domain CORS? > No, not at all. That would make cross-domain CORS pretty much useless. The API allows trusted interaction through all modes except JSONP. So when one server communicates with another server from PHP, it will be possible to authenticate and do things. And if two web sites communicate within the browser, it is also allowed, but only when both ends trust each other. Otherwise there would be a major security leak. Just imagine what would happen if someone would embed some javascript on a site somewhere that makes an AJAX request to the API to get a token and then edit a page. If you were to visit that other website (could be from a link in a chat application, Twitter, or e-mail etc.- could even be masked by a genuine-looking redirect) then the second you visit that other wise you'd suddenly (without you knowing) be making an edit on Wikipedia. Why? Because that AJAX request was made in your browser and you're still logged in, of course. That's why * JSON cross-origin requests are only allowed if both ends trust each other. * JSONP requests are always allowed because they are unauthenticated. You may wonder why its not possible to cheat. The reason is that JSON (not JSONP) can only be read if the XHR allows one to read the response. And one can't make an edit without a token, which can only be send if it was received first. So just making the request is not enough, it needs to be read and then send back. That is the security model basically. JSONP on the other hand works with a callback, which means it is unrestricted. Any function form anywhere can be named and is then invoked. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
