Jump to content

User:Tóraí/CORS

From Wikipedia, the free encyclopedia

This page describes changes to api.php to re-enable JavaScript access from external webpages following the recent implementation of Cross-Origin Resource Sharing (CORS) in all major web-browser.

Implementing the CORS specification in api.php could fully restore JavaScript support in the MediaWiki API.

Examples of access

[edit]

Only toolserver.org

[edit]

The following code only allows JavaScript from pages on toolserver.org to browse, log in and edit pages. JavaScript on other websites would require users to switch off their default browser security or use work-around techniques (such as a PHP proxy).

header("Access-Control-Allow-Origin: http://toolserver.org");
header("Access-Control-Allow-Credentials: true");

Full access

[edit]

The following code allows JavaScript from all websites to browse, log in and edit pages directly without needing to use workarounds or asking users to change their security settings.

// Credentialised access needs to be explicitly granted (no wild cards). We rely on the "Origin" header
// in the client's request to know who to grant access to. Spoofing is not a concern because we don't
// care who the client says they are only that you say you are someone.

if (isset($_SERVER["HTTP_ORIGIN"])){
	// If we have an "Origin" header...
	// 1. Allow access from that origin
	header("Access-Control-Allow-Origin: ".$_SERVER["HTTP_ORIGIN"]);
	// 2. Allow credentialised access from that origin
	header("Access-Control-Allow-Credentials: true");
} else {
	// ...Otherwise, allow (non-credentialised) access [fallback condition]
	header("Access-Control-Allow-Origin: *");
}

Limited access

[edit]

The following code allows JavaScript on all pages to browse and edit pages (as they can do now via PHP proxies or by switching off default security settings), but pages hosted on toolser.org could log in.

// Credentialised access needs to be explicitly granted (no wild cards). We rely on the "Origin" header
// in the client's client's request to know who to grant access to. Spoofing is not a concern because
// credentialsed access will only be granted to toolserver.org and standards-compliant browsers will
// thus only allow credentialsed access to pages on that server. Older or non-compliant browsers can
// circumvent these restrictions in any event.

if (isset($_SERVER["HTTP_ORIGIN"]) and $_SERVER["HTTP_ORIGIN"] == "http://toolserver.org"){
	// If the "Origin" header states that the request is from the http://toolserver.org then grant access...
	// 1. Allow access from toolserver.org
	header("Access-Control-Allow-Origin: http://toolserver.org");
	// 2. Allow credentialised access from toolserver.org
	header("Access-Control-Allow-Credentials: true");
} else {
	// ...In all other cases, allow non-credentialised access
	header("Access-Control-Allow-Origin: *");
	header("Access-Control-Allow-Credentials: false");
}

Internet Explorer 8

[edit]

Internet Explorer 8 does not fully implement the XMLHttpRequest standard. Instead, it uses its own XDomainRequest object for cross domain JavaScript. The following code corrects POST requests sent from XDomainRequest objects to appear as if they were sent by XMLHttpRequest.

if (isset($HTTP_RAW_POST_DATA)) {
	$data = explode("&", $HTTP_RAW_POST_DATA);
	foreach ($data as $val) {
		if (!empty($val)) {
			list($key, $value) = explode("=", $val);   
			$_POST[$key] = urldecode($value);
		}
	}
}