API:クロスサイト リクエスト

From MediaWiki.org
Jump to navigation Jump to search
This page is a translated version of the page API:Cross-site requests and the translation is 33% complete.

Other languages:
Deutsch • ‎English • ‎dansk • ‎español • ‎français • ‎română • ‎русский • ‎ไทย • ‎中文 • ‎日本語 • ‎한국어

If a user script or gadget needs to make an API call against another MediaWiki site (e.g. a script on the English Wikipedia needs to check image information on Commons), it must use JSONP or CORS.


The API format=json accepts a "callback" parameter, which names a JavaScript function in which the JSON result will be wrapped. This may be used to call the API on a remote site by dynamically adding <script> tags to the document.

Note that any JSONP requests will be processed as if logged out, even if the browser session is authenticated against the remote wiki.

CORS の使用

The MediaWiki API requires that the origin be supplied as a query string parameter, appropriately named "origin", which is matched against the Origin header required by the CORS protocol. Note that this parameter must be included in any pre-flight request, and so should be included in the query string portion of the request URI even for POST requests.

To make an authenticated CORS request, the remote wiki's $wgCrossSiteAJAXdomains setting must be set to allow the origin site. If the CORS origin check passes, MediaWiki will include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may be sent.

Unauthenticated CORS requests may be made from any origin by setting the "origin" request parameter to "*". In this case MediaWiki will include the Access-Control-Allow-Credentials: false header in the response and will process the request as if logged out (in case credentials are somehow sent anyway).

When the "origin" request parameter is supplied, MediaWiki (since 1.30) will return a MediaWiki-CORS-Rejection header with a brief failure reason if the request does not result in a successful CORS response, e.g. in case of mismatched origin or unsupported headers in a Access-Control-Request-Headers request header.

Manual:CORS を参照すると、JavaScript で CORS を呼び出す手順を説明してあります。