| Lucas_Werkmeister_WMDE added a comment. |
I don't think Apache has a nice way to set additional headers in these cases (only).
I found this blog post while looking into the similar issue T177966 – TL;DR: set an environment variable in the redirect (E=acoa:1) and add a Header always set directive with that environment variable as condition (env=acoa). I guess it’s not very nice, but it’s possible (unless something in Wikimedia’s Apache setup prevents it).
Thiemo pointed out another complication: our canonical URIs are HTTP, not HTTPS. There is a redirect from the HTTP URL to the HTTPS URL.
wikidata.org is on the HSTS preload list used by Chrome, Firefox, Opera, Safari, IE11, and Edge, so those clients should immediately use the HTTPS version. Are there any clients that don’t use this HSTS preload list but still apply same-origin restrictions? (There’s also a task for switching the canonical URIs to HTTPS – T153563 – but it’s not clear if it should be done.)
Cc: Lucas_Werkmeister_WMDE, thiemowmde, gerritbot, hoo, daniel, Aklapper, elf-pavlik, GoranSMilovanovic, QZanden, Wikidata-bugs, aude, Mbch331
_______________________________________________ Wikidata-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
