API:Cross-site requests
 |
This page is part of the MediaWiki API documentation. |
| Language: | English • 日本語 |
|---|
Quick overview:
- Quick start guide
- FAQ
- Tutorial
- Formats
- Error reporting
- Restricting usage
- Cross-site requests
- Authentication
- Queries
- Search suggestions
- Parsing wikitext and expanding templates
- Purging pages' caches
- Parameter information
- Changing wiki content
- Watchlist feed
- Wikidata
- Extensions
- Using the API in MediaWiki and extensions
- Miscellaneous
- Implementation
- Client code
- Asserting
If a user script or gadget needs to make an API call against another MediaWiki site (e.g. a script on the English Wikipedia needs to check image information on Commons), it must use JSONP or CORS.
JSONP usage[edit | edit source]
The API format=json accepts a "callback" parameter, which names a JavaScript function in which the JSON result will be wrapped. This may be used to call the API on a remote site by dynamically adding <script> tags to the document.
Note that any JSONP requests will be processed as if logged out, even if the browser session is authenticated against the remote wiki.
CORS usage[edit | edit source]
For a CORS request to be allowed by the remote wiki, $wgCrossSiteAJAXdomains must be set appropriately to allow the origin site. The MediaWiki API also requires that the origin be supplied as a request parameter, appropriately named "origin", which is matched against the Origin header required by the CORS protocol. Note that this header must be included in any pre-flight request, and so should be included in the query string portion of the request URI even for POST requests.
If the CORS origin check passes, MediaWiki will include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may be sent.
On Wikimedia wikis CORS is enabled since September 2012; as of October 2013 CORS pre-flight requests are also supported.
