CORS On Mediawiki API
Introduction on CORS
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served[1]. The mechanism is implemented on browser-side or client-side, in which the controlling variables is implemented based on client request header and server response header. This mechanism is implemented on various mobile and desktop browser.[2][3]Prior to CORS Implementation, cross-site browser request is not allowed.
CORS Implementation on Mediawiki API
Mediawiki has its own implementation of CORS[4] and its implemented inside file includes/api/ApiMain.php. This implementation enable the Mediawiki site admin to put whitelist of the domains that allow to perform API function calls to Mediawiki API.
How to configure
The CORS implementation is included on Mediawiki standard installation, required no additional extensions. First, we need to put $wgCrossSiteAJAXdomains entry on LocalSettings.php. The parameter can take single entry or array of string. All the entry in this parameter is the whitelist domain. The whitelist domain is needed to implemented in PKC's implementation to enable API Function Calls from other micro services. Below is the entry in LocalSettings.php
// Single Entry example
$wgCrossSiteAJAXdomains[] = '*.wikipedia.org';
// Multiple entry
$wgCrossSiteAJAXdomains = [
'your.first.domain',
'your.second.domain',
'your.third.domain'
];
Then, Mediawiki API will add HTTP Header Response, in preflight or POST, to allow browser using Cross-Origin-Resource-Sharing.
Sample API Calls
References
- ↑ https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
- ↑ https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#specifications
- ↑ https://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
- ↑ https://gerrit.wikimedia.org/r/c/mediawiki/core/+/9624/,Change Request on CORS at Jul 06, 2012