Chris Steipp <> changed:

           What    |Removed                     |Added
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #4 from Chris Steipp <> ---
(In reply to comment #3)
> I may be misremembering, but I believe that "Access-Control-Allow-Origin: *"
> would allow any random external site to fetch the CSRF tokens and such. The
> JSONP method explicitly disables any token fetching, and also treats the
> request as being from an anonymous user regardless of any login cookies.
> If your external site wants to interact with the API in a way JSONP doesn't
> allow, you should probably look into OAuth.

Correct. CORS from untrusted domains is not secure, since that would make
anti-csrf tokens useless.

If you have a specific domain you want to add to the whitelist, we could
discuss the merits of it individually, but * is definitely not possible.

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to