Manual:$wgCrossSiteAJAXdomains

From mediawiki.org
Jump to navigation Jump to search
This page is a translated version of the page Manual:$wgCrossSiteAJAXdomains and the translation is 33% complete.
API: $wgCrossSiteAJAXdomains
MediaWiki API に対してクロス サイト Ajax リクエストを行う可能性のあるドメイン。
導入されたバージョン:1.16.0 (r54127)
除去されたバージョン:使用中
許容される値:(配列)
既定値:[]

詳細

Allows Ajax requests from certain domains to make cross-site requests to a wiki's API (see Manual:CORS for example usage). これは Access-Control-Allow-Origin HTTP ヘッダーを使用します。 Note that some older browsers don't support this. This only affects requests to the API. Other entry points (index.php) are not affected.

The value must be a list of allowed domain names, which can include shell-style wildcards (? to match any character, * to match any number (including zero) of characters). An empty array means no external access is allowed.

Some examples:

Allow any domain to access the API via Ajax (This is insecure):

$wgCrossSiteAJAXdomains = [
    '*'
];

Allow two specific domains:

$wgCrossSiteAJAXdomains = [
    'en.wikipedia.org',
    'en.wikibooks.org'
];

Allow all subdomains of a domain (including "deep" subdomains such as en.m.wikipedia.org):

$wgCrossSiteAJAXdomains = [
    '*.wikipedia.org'
];

使用例は gerrit:9624 を参照してください。

警告 警告: Any site listed in this config setting can take actions on behalf of your logged in users if they visit that site. Only include sites that you trust in this variable


Until MediaWiki 1.34, there could be logs Non-whitelisted CORS request with session cookies referring to the wiki itself, which could be fixed by adding the wiki’s server name in this parameter to avoid these logs. This was fixed in MediaWiki 1.35 in T243908.

関連項目