User:Tóraí/CORS

This page describes changes to api.php to re-enable JavaScript access from external webpages following the recent implementation of Cross-Origin Resource Sharing (CORS) in all major web-browser.

Implementing the CORS specification in api.php could fully restore JavaScript support in the MediaWiki API.

Only toolserver.org
The following code only allows JavaScript from pages on toolserver.org to browse, log in and edit pages. JavaScript on other websites would require users to switch off their default browser security or use work-around techniques (such as a PHP proxy).

Full access
The following code allows JavaScript from all websites to browse, log in and edit pages directly without needing to use workarounds or asking users to change their security settings.

Limited access
The following code allows JavaScript on all pages to browse and edit pages (as they can do now via PHP proxies or by switching off default security settings), but pages hosted on toolser.org could log in.

Internet Explorer 8
Internet Explorer 8 does not fully implement the XMLHttpRequest standard. Instead, it uses its own XDomainRequest object for cross domain JavaScript. The following code corrects POST requests sent from XDomainRequest objects to appear as if they were sent by XMLHttpRequest.