https://bugzilla.wikimedia.org/show_bug.cgi?id=60835

Chris Steipp <cste...@wikimedia.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #4 from Chris Steipp <cste...@wikimedia.org> ---
(In reply to comment #3)
> I may be misremembering, but I believe that "Access-Control-Allow-Origin: *"
> would allow any random external site to fetch the CSRF tokens and such. The
> JSONP method explicitly disables any token fetching, and also treats the
> request as being from an anonymous user regardless of any login cookies.
> 
> If your external site wants to interact with the API in a way JSONP doesn't
> allow, you should probably look into OAuth.

Correct. CORS from untrusted domains is not secure, since that would make
anti-csrf tokens useless.

If you have a specific domain you want to add to the whitelist, we could
discuss the merits of it individually, but * is definitely not possible.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to