csteipp added a subscriber: hoo. csteipp added a comment. In https://phabricator.wikimedia.org/T107602#1508326, @Smalyshev wrote:
> Aren't our tokens HTTP only? Our session cookies are, but anti-csrf tokens are available via API call. So javascript running on a wikidata.org subdomain can edit on any other WMF wiki via CORS. > If we allow content from *.wikidata.org to be injected to any wiki, then this > means test.wikidata.org is included too and any domain that is in > wikidata.org. Maybe we can set it to www.wikidata.org only? I'm not sure we > need other wikis to pull anything from test.wikidata.org, do we? I know we edit www.wikidata.org from many WMF domains (and I believe test.wikidata.org from test.wikipedia.org, for... testing), so wikidata.org needs to allow CORS requests from all WMF domains. However, I don't know if we ever edit other WMF domains from wikidata.org via CORS, so we might be able to cut *.wikidata.org out of our CORS policy entirely. Maybe @hoo knows? TASK DETAIL https://phabricator.wikimedia.org/T107602 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Joe, csteipp Cc: hoo, GWicke, greg, Lydia_Pintscher, csteipp, jcrespo, Legoktm, gerritbot, Smalyshev, BBlack, Joe, daniel, RobLa-WMF, Aklapper, aude, JanZerebecki, JeroenDeDauw, MrStradivarius, waldyrious, Krenair, MBlissett, bd808, Laddo, Addshore, Matanya, jkroll, Wikidata-bugs, Jdouglas, RobH, Manybubbles, mark, faidon, fgiunchedi, Dzahn, chasemp, Malyacko, P.Copp _______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs