Hey Dan,

On Sat, Dec 3, 2016 at 4:37 PM, Dan Keith <dan@quantumclay.com> wrote:

I’m wondering if it is even possible to have a webpage that can obtain login access (via bot user/pw), and make WikiData edits. I know that the rest of the Wiki sites can uses CORS between each other, because they are whitelisted. My site is not on the whitelist, and it shouldn’t be.

Allowing authenticated access from any site would utterly defeat the purpose of CORS, which is to prevent untrusted sites from doing arbitrary actions in the name of whoever happens to visit them. Calls to API endpoints which cannot be abused (don't change anything and don't return any user data) should be possible from any site via anonymous CORS.

The right security model for you is probably owner-only OAuth (assuming that you are really writing a bot and not a web tool that anyone can visit and use).

That said, browser-side javascript seems like the most inconvenient imaginable choice for a bot.