https://bugzilla.wikimedia.org/show_bug.cgi?id=64822
--- Comment #3 from Barry Coughlan <[email protected]> --- I did some more re-thinking about this. I examined the jQuery code and the 'crossDomain' attribute is just for selecting the transport (XMLHttpRequest or <script> tag). It does not select data types (json/jsonp), i.e. if the datatype is 'jsonp' and the request is local, you will get a 'jsonp' request with a 'callback' parameter over XMLHttpRequest. The MW core will assume that any request with a 'callback' parameter is from another domain, and will treat the request as unauthenticated. MW core needs a better way to detect if a request is really cross-origin. The solution is CORS, but this is not supported in a standard way on IE9 (http://caniuse.com/cors). The most "correct" fix would be to change the MW core to use CORS to detect cross-origin requests, but this might break plugins relying on the API in IE<=9, so it would be a risky fix until IE9 is no longer a concern for anyone. I'm now convinced that the simplest fix for now is to add some logic in the VisualEditor JS to detect if the request will be local, based on the target URL of the request. Then use the 'json' datatype if it is local, and the 'jsonp' datatype if not. Here is jQuery's logic for checking that: https://github.com/jquery/jquery/blob/master/src/ajax.js#L518 Note that I tried this out by implementing custom prefilters/transports for jQuery (to leverage the crossDomain code already present), but this approach is hacky and a dead end. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
