https://bugzilla.wikimedia.org/show_bug.cgi?id=60835

--- Comment #6 from eaton....@gmail.com ---
I've set up a demonstration which shows that cross-domain requests are
forbidden from using withCredentials=true when Access-Control-Allow-Origin is
set to "*".

This page sets a cookie for the subdomain www.macropus.org, then uses it to
fetch a token from the same subdomain, which succeeds (the cookie is sent even
without withCredentials=true, as it's a request to the same subdomain):
http://www.macropus.org/2014/mediawiki-cors/

This page, on a different subdomain, is able to make an unauthenticated request
to the other subdomain (as the response has an "Access-Control-Allow-Origin: *"
header), but is forbidden from making a request with credentials:
http://git.macropus.org/mediawiki-cors-test/

The (very simple) code is here: https://github.com/hubgit/mediawiki-cors-test

If there's a flaw in the security logic, it would be very useful to know about;
on the other hand, I hope this will be persuasive enough to re-open this
ticket.

Note that for the white-listed domains, the response can still include a
specific origin and so allow credentials to be sent; the
"Access-Control-Allow-Origin: *" response would just be for non-whitelisted
domains.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to