https://bugzilla.wikimedia.org/show_bug.cgi?id=25886
--- Comment #12 from Roan Kattouw <[email protected]> 2012-11-11 01:32:41 UTC --- (In reply to comment #11) > * /../load.php: Modules can be private (e.g. user.options contains > preferences), however these are already protected in load.php (e.g. try > https://bits.wikimedia.org/www.mediawiki.org/load.php?debug=false&modules=user.options&only=scripts). > Private modules can only be loaded from server output. Most of what load.php serves is JavaScript, which doesn't need CORS. The only thing I can see load.php remotely needing CORS for is CSS in only=styles requests. We can safely serve ACAO:* for those from within ResourceLoader. All other load.php requests should not use CORS. Geoiplookup also should not use CORS. Static resources can be served with ACAO:* as well. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
