Manual:$wgRestAllowCrossOriginCookieAuth
| Security: $wgRestAllowCrossOriginCookieAuth | |
|---|---|
| Allows authenticated cross-origin requests to the REST API with session cookies. |
|
| Introduced in version: | 1.36.0 (Gerrit change 621900; git #c36b3204) |
| Removed in version: | Still in use |
| Allowed values: | (boolean) |
| Default value: | false |
| Other settings: Alphabetical | By function | |
Details
[edit]Allows authenticated cross-origin requests to the REST API with session cookies.
With this option enabled, any origin specified in $wgCrossSiteAJAXdomains may send session cookies for authorization in the REST API.
"authenticated" means authentication methods where the browser would automatically add authentication information to these requests (such as cookies or HTTP Basic Authentication). The more accurate term would be credentialed. Custom authentication mechanisms such as OAuth are not affected by this setting.
There is a performance impact by enabling this option. Therefore, it should be left disabled for most wikis and clients should instead use OAuth to make cross-origin authenticated requests.