601726 - Put "Access-Control-Allow-Origin: *" header on all requests to wiki.mozilla.org's public page renders

Status: NEW

(mozilla.org :: Security Assurance: Applications, task)

Description

[Atul Varma [:atul]]

I mentioned in one of my blog posts [1] that I'd made a simple server that provides a cross-site XHR REST API to obtain the rendered HTML content of a wiki page on wiki.mozilla.org (sans header/footer/sidebar content). Ted Mielczarek then mentioned in a comment that it'd be great if this was just part of wiki.mozilla.org itself.

This would just require putting an "Access-Control-Allow-Origin: *" header on all GET requests to URLs of the form:

  https://wiki.mozilla.org/index.php?title=FOO&action=render

Except that "FOO" could actually be any page title.

If this could be done, and possibly also enabled for "action=raw" as well, it'd allow any web page to mash up data from the wiki with the rest of the web, e.g. with Gerv's Bugzilla REST API.

[1] http://www.toolness.com/wp/?p=1081

Comment 1

[Jake Maul [:jakem]]

Infrasec, ack?

It seems feasible to do something like this:

<LocationMatch "/index.php?title=FOO&action=render">
    Header add Access-Control-Allow-Origin: *
</LocationMatch>

Better suggestions welcome, of course.

Comment 2

[Jake Maul [:jakem]]

Relevant note: we use different links on wikimo now. Links look like this:

https://wiki.mozilla.org/Releases

No 'index.php?querystring' is generally seen. In fact, links of the form shown don't even work anymore, it seems:

https://wiki.mozilla.org/index.php?title=Releases&action=render

Recommend closing this bug unless a better solution is presented.