diff options
| -rw-r--r-- | RELEASE-NOTES-1.44 | 8 | ||||
| -rw-r--r-- | docs/config-schema.yaml | 2 | ||||
| -rw-r--r-- | includes/MainConfigSchema.php | 2 | ||||
| -rw-r--r-- | includes/config-schema.php | 2 |
4 files changed, 7 insertions, 7 deletions
diff --git a/RELEASE-NOTES-1.44 b/RELEASE-NOTES-1.44 index 6a9482fdf2fa..7ecd4b6ddb2b 100644 --- a/RELEASE-NOTES-1.44 +++ b/RELEASE-NOTES-1.44 @@ -40,7 +40,7 @@ For notes on 1.43.x and older releases, see HISTORY. into these groups will never result in an RC entry, even if $wgAutopromoteOnceLogInRC is true, as long as they were the only new groups the user was autopromoted into. -* (T322944) $wgAllowAuthenticatedCrossOrigin - If true (defaults to false), +* (T322944) $wgAllowAuthenticatedCrossOrigin - If true (defaults to true), enable the crossorigin= API parameter to allow authenticated cross-origin API requests. * (T240542) $wgAutoblockExemptions - IP addresses and CIDR ranges listed here @@ -91,11 +91,11 @@ For notes on 1.43.x and older releases, see HISTORY. This does not consider deletion log entries that were suppressed. * (T326056) Attempting to create a redirect to another redirect will now result in a warning. -* (T322944) If enabled ($wgAllowAuthenticatedCrossOrigin, see above), - developers using the Action API can now use the new crossorigin= parameter. - If used with a supported session provider, such as OAuth, +* (T322944) Developers using the Action API can now use the new crossorigin= + parameter. If used with a supported session provider, such as OAuth, this permits authenticated cross-origin requests against the Action API, similar to how origin=* allows unauthenticated cross-origin requests. + Can be disabled via $wgAllowAuthenticatedCrossOrigin (see above). * (T24521, T62109) Embedding a file (e.g., [[File:MediaWiki.png]]) on a page protected with cascading protection will no longer restrict edits to the file description page, only file uploads. Transcluding a file description diff --git a/docs/config-schema.yaml b/docs/config-schema.yaml index 1d507ab96e3a..17b0a1b6c774 100644 --- a/docs/config-schema.yaml +++ b/docs/config-schema.yaml @@ -5890,7 +5890,7 @@ config-schema: - false: Allow all framing. Note: $wgBreakFrames will override this for human formatted API output. AllowAuthenticatedCrossOrigin: - default: false + default: true type: boolean description: |- Allow non-anonymous cross-origin requests to the Action API. diff --git a/includes/MainConfigSchema.php b/includes/MainConfigSchema.php index 94ab7a47995f..0c8e3b8382cf 100644 --- a/includes/MainConfigSchema.php +++ b/includes/MainConfigSchema.php @@ -9407,7 +9407,7 @@ class MainConfigSchema { * @since 1.43 */ public const AllowAuthenticatedCrossOrigin = [ - 'default' => false, + 'default' => true, 'type' => 'boolean', ]; diff --git a/includes/config-schema.php b/includes/config-schema.php index 8391a3dc4f04..cad9703297f9 100644 --- a/includes/config-schema.php +++ b/includes/config-schema.php @@ -1814,7 +1814,7 @@ return [ 'BreakFrames' => false, 'EditPageFrameOptions' => 'DENY', 'ApiFrameOptions' => 'DENY', - 'AllowAuthenticatedCrossOrigin' => false, + 'AllowAuthenticatedCrossOrigin' => true, 'CSPHeader' => false, 'CSPReportOnlyHeader' => false, 'CSPFalsePositiveUrls' => [ |