Brad Jorsch <> changed:

           What    |Removed                     |Added
                 CC|                            |

--- Comment #3 from Brad Jorsch <> ---
I may be misremembering, but I believe that "Access-Control-Allow-Origin: *"
would allow any random external site to fetch the CSRF tokens and such. The
JSONP method explicitly disables any token fetching, and also treats the
request as being from an anonymous user regardless of any login cookies.

If your external site wants to interact with the API in a way JSONP doesn't
allow, you should probably look into OAuth.

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to