Pure Browser-side JS with Bot Password cannot get token due to CORS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Pure Browser-side JS with Bot Password cannot get token due to CORS

Dan Keith
Hi.

I'm trying to write JS code in my browser that will run a prototype Wikidata bot (written in Browser-side JS) that will use XMLHttpRequest() to login to WikiData via a Bot Password for the purposes of making an edit. I'm running into CORS issues.

If I disable CORS in my browser, I can POST with:
   ?action=login&format=json&lgname=BOTNAME&lgpassword=BOTPASSWORD' and I successfully get a login token.

However, if I don't disable CORS, my browser errors with:
    'XMLHttpRequest cannot load https://www.wikidata.org/w/api.php. Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin’

Note that the same request that fails in the browser works fine with ‘curl’.

I’ve tried adding ‘origin=*’. I’ve toggled withCredentials, and I’ve tried a variety of combinations of these.

I’m wondering if it is even possible to have a webpage that can obtain login access (via bot user/pw), and make WikiData edits. I know that the rest of the Wiki sites can uses CORS between each other, because they are whitelisted. My site is not on the whitelist, and it shouldn’t be.

An even simpler request that fails is this: https://www.wikidata.org/w/api.php?action=query&format=json&meta=tokens
It works when I disable CORS in the browser, but fails with the same error as above (remember, this is XMLHttpRequest, not just typing into the URL field).

I want to avoid writing server code just to defeat the browser’s CORS protection.

Thanks for any help you can provide,
Dan






_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Pure Browser-side JS with Bot Password cannot get token due to CORS

Gergo Tisza
Hey Dan,

On Sat, Dec 3, 2016 at 4:37 PM, Dan Keith <[hidden email]> wrote:
I’m wondering if it is even possible to have a webpage that can obtain login access (via bot user/pw), and make WikiData edits. I know that the rest of the Wiki sites can uses CORS between each other, because they are whitelisted. My site is not on the whitelist, and it shouldn’t be.

Allowing authenticated access from any site would utterly defeat the purpose of CORS, which is to prevent untrusted sites from doing arbitrary actions in the name of whoever happens to visit them. Calls to API endpoints which cannot be abused (don't change anything and don't return any user data) should be possible from any site via anonymous CORS.

The right security model for you is probably owner-only OAuth (assuming that you are really writing a bot and not a web tool that anyone can visit and use).
That said, browser-side javascript seems like the most inconvenient imaginable choice for a bot.

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Loading...