--- Comment #6 from eaton....@gmail.com ---
I've set up a demonstration which shows that cross-domain requests are
forbidden from using withCredentials=true when Access-Control-Allow-Origin is
set to "*".
This page sets a cookie for the subdomain www.macropus.org, then uses it to
fetch a token from the same subdomain, which succeeds (the cookie is sent even
without withCredentials=true, as it's a request to the same subdomain):
This page, on a different subdomain, is able to make an unauthenticated request
to the other subdomain (as the response has an "Access-Control-Allow-Origin: *"
header), but is forbidden from making a request with credentials:
The (very simple) code is here: https://github.com/hubgit/mediawiki-cors-test
If there's a flaw in the security logic, it would be very useful to know about;
on the other hand, I hope this will be persuasive enough to re-open this
Note that for the white-listed domains, the response can still include a
specific origin and so allow credentials to be sent; the
"Access-Control-Allow-Origin: *" response would just be for non-whitelisted
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list