Manual:$wgCrossSiteAJAXdomains/ru

Allows Ajax requests from certain domains to make authenticated cross-site requests to a wiki's API (see Manual:CORS for example usage). (Anonymous cross-site Ajax requests aren't limited to specific domains, and are not affected by this setting.) This uses the Access-Control-Allow-Origin HTTP header. Note that some older browsers don't support this. This only affects requests to the API. Other entry points (index.php) are not affected.

The value must be a list of allowed domain names, which can include shell-style wildcards (? to match any character, * to match any number (including zero) of characters). An empty array means no external authenticated access is allowed.

$wgCrossSiteAJAXdomains = [
    '*'
];

$wgCrossSiteAJAXdomains = [
    'en.wikipedia.org',
    'en.wikibooks.org'
];

$wgCrossSiteAJAXdomains = [
    '*.wikipedia.org'
];

Внимание:

Any site listed in this config setting can take actions on behalf of your logged in users if they visit that site. Only include sites that you trust in this variable

Until MediaWiki 1.34, there could be logs Non-whitelisted CORS request with session cookies referring to the wiki itself, which could be fixed by adding the wiki’s server name in this parameter to avoid these logs. This was fixed in MediaWiki 1.35 in T243908.

• Manual:CORS
• $wgCrossSiteAJAXdomainExceptions - for exempting subdomains
• $wgAllowedCorsHeaders - for allowing custom headers
• $wgAllowCrossOrigin и $wgRestAllowCrossOriginCookieAuth - for allowing CORS in the REST API