Please enable CORS headers on wikidata to all other MW servers.
Would be a good way to allow for NavPopups to work on langlinks, etc.
Version: wmf-deployment
Severity: enhancement
Description
Description
Details
Details
- Reference
- bz44994
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Declined | None | T46948 Navigation Popup gadget should work with language links | |||
| Declined | None | T46994 Enable CORS headers for accessing wikidata.org |
Event Timeline
Comment Actions
A minor detail, this must be done on Wikipedia and it depends on some normalization of the domain names (that is subdomains) used at Wikidata.
Comment Actions
Requesting data from wikidata.org already works so this wont break wikibase deployment.
Changing product as this is no Wikibase problem but a MediaWiki configuration one.
Comment Actions
Hmm, maybe "shell" instead of "ops", seeing $wmgUseCORS in https://noc.wikimedia.org/conf/CommonSettings.php.txt ?
Comment Actions
Please also allow wmflabs.org servers.
Also, the cached entities should be available from all servers, e.g.:
https://www.wikidata.org/wiki/Special:EntityData/Q12345.json
This should actually reduce load to the wikidata servers, a many tools could then use the cached data instead of the API.
Comment Actions
(In reply to Magnus Manske from comment #6)
Also, the cached entities should be available from all servers, e.g.:
https://www.wikidata.org/wiki/Special:EntityData/Q12345.json
Note that the canonical URL of this would be https://www.wikidata.org/entity/Q12345.json, which triggers a chain of redirects to get you to the URL above. Note sure how CORS handles this.
Comment Actions
"Please also allow wmflabs.org servers."
That doesn't seem safe to me....
Anything that requires production level access should be on a production domain, not on a wmflabs domain.
Comment Actions
Oh and actually exposing resources for CORS (the json blobs) should be a separate bug request, it requires software changes.
Comment Actions
Closing this bug as it looks solved to me (please reopen with more details if I overlooked something).
(In reply to Magnus Manske from comment #6)
Please also allow wmflabs.org servers.
This is not going to happen because wmflabs.org has a bazillion XSS security flaws which could then be used to perform CRSF attacks against Wikidata etc. This is not open for discussion.
(In reply to Derk-Jan Hartman from comment #9)
Oh and actually exposing resources for CORS (the json blobs) should be a
separate bug request, it requires software changes.
Yes, making the special page usable with JS from remote sites would require extra changes (this should go into a separate bug).
(In reply to Magnus Manske from comment #6)
[...]
This should actually reduce load to the wikidata servers, a many tools could
then use the cached data instead of the API.
I can't remember any huge caching / performance differences between the two approaches offhand (except that SpecialEntityData sucks with XML). If there are such, open a bug for that.