Issues with Cross-Origin Resource Sharing (CORS) JQuery Request

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Issues with Cross-Origin Resource Sharing (CORS) JQuery Request

Egbe Eugene
Hello All,

After looking at [1]Manual:CORS and trying to perform a request with JQuery
from an external application, I still get the error message saying "Request
from origin has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested resource.

This is from a simple GET request to get imageinfo from Commons.

Please any hints?
Eugene233

[1] https://www.mediawiki.org/wiki/Manual:CORS#Using_jQuery_methods
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Issues with Cross-Origin Resource Sharing (CORS) JQuery Request

Brad Jorsch (Anomie)
On Mon, May 6, 2019 at 7:14 AM Egbe Eugene <[hidden email]> wrote:

> After looking at [1]Manual:CORS and trying to perform a request with JQuery
> from an external application, I still get the error message saying "Request
> from origin has been blocked by CORS policy: No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
>
> This is from a simple GET request to get imageinfo from Commons.
>

Without seeing the actual code you tried, I can only guess.

If you set the `origin` parameter to match the Origin header a browser
sends from your external site, and your external site is not listed in
$wgCrossSiteAJAXdomains,[1][2] the attempt to use CORS will be rejected. If
you inspect the response received, you should see a header
"MediaWiki-CORS-Rejection: Origin mismatch".

If you didn't set the `origin` parameter to so match, but just copied the
example at Manual:CORS, you should have received an HTTP 403 with a message
"'origin' parameter does not match Origin header".

If you set the `origin` parameter to "*" (that's the single character
U+002A) and set withCredentials = false in jQuery's xhrFields, it should
work from any remote site. But since cookies are neither being sent nor
used, the response will be served to you as an IP user. The code for that
could look something like this:

$.ajax( {
    url: 'https://en.wikipedia.org/w/api.php',
    data: {
        action: 'query',
        meta: 'userinfo',
        format: 'json',
        origin: '*'
    },
    xhrFields: {
        withCredentials: false
    },
    dataType: 'json'
} ).done( function ( data ) {
    console.log( 'Foreign user ' + data.query.userinfo.name + ' (ID ' + data
.query.userinfo.id + ')' );
} );

It looks like https://www.mediawiki.org/wiki/Manual:CORS could use updating
to include the origin=* option, and perhaps to make it clearer that
logged-in accesses only work from whitelisted sites.

[1]: Docs: https://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains
[2]: Config:
https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/6cdae859db1611ffba7f6507faf8c54c6d38d217/wmf-config/CommonSettings.php#631

--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Issues with Cross-Origin Resource Sharing (CORS) JQuery Request

David Barratt
Somewhat related: https://phabricator.wikimedia.org/T210790

On Mon, May 6, 2019 at 9:05 AM Brad Jorsch (Anomie) <[hidden email]>
wrote:

> On Mon, May 6, 2019 at 7:14 AM Egbe Eugene <[hidden email]> wrote:
>
> > After looking at [1]Manual:CORS and trying to perform a request with
> JQuery
> > from an external application, I still get the error message saying
> "Request
> > from origin has been blocked by CORS policy: No
> > 'Access-Control-Allow-Origin' header is present on the requested
> resource.
> >
> > This is from a simple GET request to get imageinfo from Commons.
> >
>
> Without seeing the actual code you tried, I can only guess.
>
> If you set the `origin` parameter to match the Origin header a browser
> sends from your external site, and your external site is not listed in
> $wgCrossSiteAJAXdomains,[1][2] the attempt to use CORS will be rejected. If
> you inspect the response received, you should see a header
> "MediaWiki-CORS-Rejection: Origin mismatch".
>
> If you didn't set the `origin` parameter to so match, but just copied the
> example at Manual:CORS, you should have received an HTTP 403 with a message
> "'origin' parameter does not match Origin header".
>
> If you set the `origin` parameter to "*" (that's the single character
> U+002A) and set withCredentials = false in jQuery's xhrFields, it should
> work from any remote site. But since cookies are neither being sent nor
> used, the response will be served to you as an IP user. The code for that
> could look something like this:
>
> $.ajax( {
>     url: 'https://en.wikipedia.org/w/api.php',
>     data: {
>         action: 'query',
>         meta: 'userinfo',
>         format: 'json',
>         origin: '*'
>     },
>     xhrFields: {
>         withCredentials: false
>     },
>     dataType: 'json'
> } ).done( function ( data ) {
>     console.log( 'Foreign user ' + data.query.userinfo.name + ' (ID ' +
> data
> .query.userinfo.id + ')' );
> } );
>
> It looks like https://www.mediawiki.org/wiki/Manual:CORS could use
> updating
> to include the origin=* option, and perhaps to make it clearer that
> logged-in accesses only work from whitelisted sites.
>
> [1]: Docs: https://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains
> [2]: Config:
>
> https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/6cdae859db1611ffba7f6507faf8c54c6d38d217/wmf-config/CommonSettings.php#631
>
> --
> Brad Jorsch (Anomie)
> Senior Software Engineer
> Wikimedia Foundation
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l