Page MenuHomeMiraheze

API Requests to Wikibase Repositories are blocked
Open, NormalPublic

Description

If you click the "Add interlanguage links" button on wikis using the WikibaseClient extension, there is an error shown in the UI that simply says "." and the following error appears in the console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://snapdata.miraheze.org/w/api.php?action=query&format=json&origin=https%3A%2F%2Fsnapwiki.miraheze.org&meta=userinfo%7Ctokens. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://snapdata.miraheze.org/w/api.php?action=query&format=json&origin=https%3A%2F%2Fsnapwiki.miraheze.org&centralauthtoken=<REDACTED>&meta=userinfo. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

.

Event Timeline

Redmin triaged this task as Normal priority.Oct 8 2023, 08:54
Redmin created this task.

"CORS header ‘Access-Control-Allow-Origin’ missing", huh? We could do like on static.miraheze.org and just return the wildcard on requests to wikis to fix this, unless someone wants to try the fancier method varying the origin depending on the clientside "Host" header.

OrangeStar removed OrangeStar as the assignee of this task.EditedOct 29 2023, 18:22

Hmmm, maybe setting the wildcard is not such a good idea: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin#what_went_wrong.

Warning: Using the wildcard to allow all sites to access a private API is a bad idea.

To allow any site to make CORS requests without using the * wildcard (for example, to enable credentials), your server must read the value of the request's Origin header and use that value to set Access-Control-Allow-Origin, and must also set a Vary: Origin header to indicate that some headers are being set dynamically depending on the origin.

So, if I understand this correctly, the browser will NOT send cookies (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) if the wildcard is returned, so MediaWiki will not know it is you making these requests. This will break the first request in this task, where it is retrieving API tokens on snapdatawiki, I think.

The proper way forward would seem to be checking the origin and varying Access-Control-Allow-Origin depending on that. Just setting it to the same value as the clientside Origin header seems... unsafe, somehow? It's effectively the same as just the wildcard.

So, in an ideal world, in Varnish, we would return the Access-Control-Allow-Origin header on requests to the Action API that would be equal to the Origin header after checking it against an array of hostnames pointing to miraheze wikis. This is not possible cause of custom domains, I think? Since Varnish doesn't seem to be aware of all the possible custom domains we can serve.

This may be all wrong, but since I don't know enough about all the implications of this, I'm not comfortable working on this task for now.

(Note to self: This is what CORS is about -> https://www.reddit.com/r/reactjs/comments/11cyejn/comment/ja77iy4/)

Hi,

I would like to start by apologizing on the project's behalf that your task was not resolved within a reasonable time. The community has now decided via RfC to merge with WikiTide and former volunteers will be returning and new ones will likely join. An event such as this one is unlikely to occur again.

Since your task has been opened for a long time, please let us know if (1) you still need it to be done or (2) if it's a bug: if it's still occurring.

NOTE: This is a mass message and not specific to any particular task.

Hi,

Since no response to the latest question has been received in a while, we must assume that this task is no longer needed and will now be closing it as Declined. (This is simply to indicate to us that the task was not done)

If you still need this task and are able to respond, please feel free to reopen this task and indicate that it is still needed and we will start working on it. I would like to apologize once again for any inconvenience caused by this task not being resolved within a reasonable time.

Reception123

This has been open for a while, I thought someone was going to come up with some idea to do this automatically but I guess not.

Let's keep it simple then. I propose we just have an array of wikis with wikibase client, and wikis those wikis have to contact, and send the appropiate CORS headers. Those that want to do the same thing as @Redmin here will have to open a phab task here for their wikis to be added to this array. This would be done in https://github.com/miraheze/puppet/blob/master/modules/varnish/templates/default.vcl#L231. Sound good to the SRE team?

This has been open for a while, I thought someone was going to come up with some idea to do this automatically but I guess not.

Let's keep it simple then. I propose we just have an array of wikis with wikibase client, and wikis those wikis have to contact, and send the appropiate CORS headers. Those that want to do the same thing as @Redmin here will have to open a phab task here for their wikis to be added to this array. This would be done in https://github.com/miraheze/puppet/blob/master/modules/varnish/templates/default.vcl#L231. Sound good to the SRE team?

I'm confused, where would this be done, as I don't think it would be at the line you mentioned...