https://bugzilla.wikimedia.org/show_bug.cgi?id=19907
Summary: Cross-domain AJAX request support
Product: MediaWiki
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: Normal
Component: API
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected], [email protected],
[email protected]
The W3C working draft on cross-origin resource sharing (
http://www.w3.org/TR/cors/ ) specifies how browsers can send AJAX requests
which normally wouldn't be allowed by same-origin rules. Specifically, the
repsonse of the server must contain an Access-Control-Allow-Origin header with
the list of domains which are allowed to send requests. At least Firefox 3.5
and Explorer 8 already support this. Support for such a setting in the
MediaWiki API could allow user scripts to perform functions that affect
multiple sites (such as moving images to Commons, or combining watchlists from
multiple sites), toolserver scripts to access the wikis with a sound security
model (the script can instruct the browser to do stuff on a wiki without asking
for passwords or session cookies), and 3rd party MediaWiki installations to
have a public read/write API suitable for widgets and mashups.
The only possible security problem I can think of would be if a MediaWiki
installation would allow both user scripts and page edit requests from
untrusted domains. You could either disallow remote API calls to write .js
pages, or leave this to be the responsibility of the one configuring the site
(ie. do not enable $wgAllowUserJs / $wgUseSiteJs when API requests from
untrusted domains are enabled).
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
