Manual:CORS

The main>Special:MyLanguage/API:Main page|MediaWiki API supports CORS (cross-origin resource sharing) requests if   is enabled.

This is used on Wikimedia sites to do things like allow image uploads directly to Commons from Wikipedia sites on the mobile interface.

This page details how to use CORS requests in your JavaScript code to communicate between wikis on different domains.

Description
For CORS requests to go through, you need to pass an  parameter with the local wiki protocol+host as value (for example,  ). This must match one of the values in on the foreign wiki.

If you wish the browser to use any cookies it might have for the domain (which you probably do, if you're using CORS; otherwise you could use the JSONP format instead, saving yourself hassle), to keep the current user logged in, you also need to set the  field of   to.

Examples
In the examples below, we assume that the local wiki from which the requests originate is www.mediawiki.org, and that the foreign wiki which the requests target is en.wikipedia.org.

Using mediawiki.ForeignApi
The mediawiki.ForeignApi module is an extension of mediawiki.api which automatically handles the details for you.

An example that checks whether the user is logged in on the foreign wiki:

A basic write API example. We're acquiring a  token and using it to set a persistent custom user preference that a gadget might user afterwards:

The same example can be rewritten more succinctly using some mediawiki.api helper methods, which are available for ForeignApi too:

Using jQuery methods
If you wish not to use mediawiki.api for whatever reason, or if you're curious how this works at a lower level, here's how to implement the same functionality using plain jQuery AJAX functionality. (You could even use plain XMLHttpRequest, but we're not that masochistic in this manual.)

An example that checks whether the user is logged in on the foreign wiki:

A basic write API example:

Note that  is part of the URL since POST CORS requests are [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests preflighted] and the origin parameter must be included in the preflight request.

CentralAuth
CentralAuth allows your code to authenticate on the foreign wiki as the user currently logged in on the local wiki using a centralauthtoken. This guarantees that the same associated account will be used for actions on both wikis, unlike regular CORS (which requires the user to have previously logged in to the foreign wiki).

If both the local and foreign wiki have CentralAuth installed, the mediawiki.ForeignApi mechanism is seamlessly extended to handle this for you. If you're implementing it yourself, see Extension:CentralAuth/API for instructions on how to acquire a token (from the local wiki) and pass it to a request (to the foreign wiki).