Not sure if we serve on apache but this should do it..


<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>

I worry about enabling this via apache for every request...

We can do it via filematch (which we just did for fonts), and can do it for MediaWiki's api using this:

http://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains

I just enabled that as well.

There's info on security here:
http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity

...there can be a perf overhead with the preflight request, but that it minimal.

Is it possible to open it up to only /wiki/tutorial pages for starters?

Also, if we go the route of whitelisting domains, how can folks add/suggest new ones?

More info here:
http://monsur.hossa.in/2012/09/07/thoughts-on-the-cors-preflight-cache.html

Monsur has done experiments with CORS. He says:

"serving the header should not be costly at all
i mean, you are adding, what, 30 bytes per request"

The worry is that you open up an "API" for folks to use. However, there's
also nothing top stop folks from iframing in our pages and creating extra
load on the server.

If the server load is worry, has there been any thought in allowing folks
to request as page as JSON?...and only enable the CORs headers for those
types of requests?

More info from Monsur:

"honestly, i don't see it as being a big perf hit as long as devs play within the rules.. besides, if a dev is being malicious, they can find better ways that cors to do it (e.g. just write a script to hit the front page over and over)"

At the very least, I'd like us to consider setting up a form or page where users can
suggestion their domain if we go the whitelisting route.

Just found out that GET requests without simple headers (http://www.w3.org/TR/cors/#simple-header)
don't incur preflight requests.