CORS

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated - wikipedia

CORS defines a way in which a browser and server can interact to safely determine whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.

When a CORS-compatible browser attempts to make a cross-origin request.

1. When a page from http://www.foo.com attempts to access a user's data in bar.com, the following request header would be sent to bar.com:

2. The server may respond with:

Here is an example of a returned wildcard header:

Need to check if IPFS issues wilcard CORS headers. This would be needed to be able to mix content from the IPFS Daemon and other nterent content. There is a discussion here - github

Unfortunately, IPFS defaults to disallowing CORS.There is some discussion regarding API_ORIGIN - github

For a CORS request to be allowed by the remote wiki, $wgCrossSiteAJAXdomains must be set appropriately to allow the origin site.

The MediaWiki API also requires that the origin be supplied as a request parameter, appropriately named "origin", which is matched against the Origin header required by the CORS protocol.

Note that this header must be included in any pre-flight request, and so should be included in the query string portion of the request URI even for POST requests.

If the CORS origin check passes, MediaWiki will include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may be sent.

On Wikimedia wikis CORS is enabled since September 2012; as of October 2013 CORS pre-flight requests are also supported.

Unfortunately, IPFS defaults to disallowing CORS.There is some discussion regarding API_ORIGIN - github