On Mon, May 6, 2019 at 7:14 AM Egbe Eugene agboreugene@gmail.com wrote:
After looking at [1]Manual:CORS and trying to perform a request with JQuery from an external application, I still get the error message saying "Request from origin has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is from a simple GET request to get imageinfo from Commons.
Without seeing the actual code you tried, I can only guess.
If you set the `origin` parameter to match the Origin header a browser sends from your external site, and your external site is not listed in $wgCrossSiteAJAXdomains,[1][2] the attempt to use CORS will be rejected. If you inspect the response received, you should see a header "MediaWiki-CORS-Rejection: Origin mismatch".
If you didn't set the `origin` parameter to so match, but just copied the example at Manual:CORS, you should have received an HTTP 403 with a message "'origin' parameter does not match Origin header".
If you set the `origin` parameter to "*" (that's the single character U+002A) and set withCredentials = false in jQuery's xhrFields, it should work from any remote site. But since cookies are neither being sent nor used, the response will be served to you as an IP user. The code for that could look something like this:
$.ajax( { url: 'https://en.wikipedia.org/w/api.php', data: { action: 'query', meta: 'userinfo', format: 'json', origin: '*' }, xhrFields: { withCredentials: false }, dataType: 'json' } ).done( function ( data ) { console.log( 'Foreign user ' + data.query.userinfo.name + ' (ID ' + data .query.userinfo.id + ')' ); } );
It looks like https://www.mediawiki.org/wiki/Manual:CORS could use updating to include the origin=* option, and perhaps to make it clearer that logged-in accesses only work from whitelisted sites.
[1]: Docs: https://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains [2]: Config: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+...