Thread:Talk:Requests for comment/API Future/CORS and third-party web apps/reply (2)

Basically, it's three parts:
 * The client adds an "origin" parameter to the request to indicate the origin and explicitly request CORS.
 * The browser adds an "Origin" HTTP header, to also indicate the origin.
 * The MediaWiki configuration has  and   to determine whether to allow the cross-domain request.

First, the "origin" parameter must match one of the values in the "Origin" header, or the request fails.

Second, the "origin" parameter must match one of the patterns in  and not match any pattern in. These are currently set to allow various WMF wikis (but bits.wikimedia.org is not in the list).

If both checks pass, then the appropriate CORS headers are returned to instruct the browser to allow the request, including cookies.

I guess the basic idea behind this proposed non-cookie authentication method would be that it works just like cookies except that it's handled by the client code rather than the browser?