This question related to another question, which was asked year ago. Author asked how to make cros-origin request using JavaScript and Wikipedia API and one ment was:

en.wikipedia doesn't seem to allow CORS

and he was advised to use JSONP instead.

I know I can use JSONP, but I prefer CORS if I can use it.

I tried on jsfiddle

var url = ".php?action=query&titles=Main%20Page&prop=revisions&rvprop=content&format=json";

                $.ajax({
                    url: url,
                    data: 'query',
                    dataType: 'json',
                    type: 'POST',
                    headers: { 'Api-User-Agent': 'Example/1.0' },
                    origin: '/',
                    success: function (data) {
                        console.log(data);
                        //do something with data
                    }});

and get the following error:

XMLHttpRequest cannot load .php?action=query&titles=Main%20Page&prop=revisions&rvprop=content&format=json. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '' is therefore not allowed access.

Request Header:

authority:en.wikipedia
method:OPTIONS
path:/w/api.php?action=query&titles=Main%20Page&prop=revisions&rvprop=content&format=json
scheme:https 
accept:/ 
accept-encoding:gzip, deflate, sdch 
accept-language:en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4,fr-FR;q=0.2,ru;q=0.2,uk;q=0.2 
access-control-request-headers:accept, api-user-agent, content-type 
access-control-request-method:POST 
origin: 
referer:/ 
user-agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Response Header:

accept-ranges:bytes 
age:0 
backend-timing:D=33198 t=1462749020308717 
cache-control:no-cache 
content-encoding:gzip 
content-length:20 
content-type:text/html 
date:Sun, 08 May 2016 23:10:20 GMT 
p3p:CP="This is not a P3P policy! See :CentralAutoLogin/P3P for more info." 
server:mw1114.eqiad.wmnet 
set-cookie:CP=H2; Path=/; secure 
set-cookie:GeoIP=US:MA:Waltham:42.37:-71.24:v4; Path=/; secure; Domain=.wikipedia 
set-cookie:WMF-Last-Access=08-May-2016;Path=/;HttpOnly;secure;
Expires=Thu, 09 Jun 2016 12:00:00 GMT 
status:200 
strict-transport-security:max-age=31536000; includeSubDomains; preload 
vary:Accept-Encoding 
via:1.1 varnish, 1.1 varnish 
x-analytics:https=1;nocookies=1 
x-cache:cp1066 pass+chfp(0), cp1055 frontend pass+chfp(0) 
x-client-ip:146.115.167.51 
x-content-type-options:nosniff 
x-powered-by:HHVM/3.12.1 
x-varnish:2807049448, 2537048470

So, I need confirmation that CORS doesn't work for Wikipedia API and I need use JSONP.

This question related to another question, which was asked year ago. Author asked how to make cros-origin request using JavaScript and Wikipedia API and one ment was:

en.wikipedia doesn't seem to allow CORS

and he was advised to use JSONP instead.

I know I can use JSONP, but I prefer CORS if I can use it.

I tried on jsfiddle

var url = "https://en.wikipedia/w/api.php?action=query&titles=Main%20Page&prop=revisions&rvprop=content&format=json";

                $.ajax({
                    url: url,
                    data: 'query',
                    dataType: 'json',
                    type: 'POST',
                    headers: { 'Api-User-Agent': 'Example/1.0' },
                    origin: 'https://jsfiddle/',
                    success: function (data) {
                        console.log(data);
                        //do something with data
                    }});

and get the following error:

XMLHttpRequest cannot load https://en.wikipedia/w/api.php?action=query&titles=Main%20Page&prop=revisions&rvprop=content&format=json. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://fiddle.jshell' is therefore not allowed access.

Request Header:

authority:en.wikipedia
method:OPTIONS
path:/w/api.php?action=query&titles=Main%20Page&prop=revisions&rvprop=content&format=json
scheme:https 
accept:/ 
accept-encoding:gzip, deflate, sdch 
accept-language:en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4,fr-FR;q=0.2,ru;q=0.2,uk;q=0.2 
access-control-request-headers:accept, api-user-agent, content-type 
access-control-request-method:POST 
origin:https://fiddle.jshell 
referer:https://fiddle.jshell/_display/ 
user-agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Response Header:

accept-ranges:bytes 
age:0 
backend-timing:D=33198 t=1462749020308717 
cache-control:no-cache 
content-encoding:gzip 
content-length:20 
content-type:text/html 
date:Sun, 08 May 2016 23:10:20 GMT 
p3p:CP="This is not a P3P policy! See https://en.wikipedia/wiki/Special:CentralAutoLogin/P3P for more info." 
server:mw1114.eqiad.wmnet 
set-cookie:CP=H2; Path=/; secure 
set-cookie:GeoIP=US:MA:Waltham:42.37:-71.24:v4; Path=/; secure; Domain=.wikipedia 
set-cookie:WMF-Last-Access=08-May-2016;Path=/;HttpOnly;secure;
Expires=Thu, 09 Jun 2016 12:00:00 GMT 
status:200 
strict-transport-security:max-age=31536000; includeSubDomains; preload 
vary:Accept-Encoding 
via:1.1 varnish, 1.1 varnish 
x-analytics:https=1;nocookies=1 
x-cache:cp1066 pass+chfp(0), cp1055 frontend pass+chfp(0) 
x-client-ip:146.115.167.51 
x-content-type-options:nosniff 
x-powered-by:HHVM/3.12.1 
x-varnish:2807049448, 2537048470

So, I need confirmation that CORS doesn't work for Wikipedia API and I need use JSONP.

• javascript
• jquery
• cors
• jsonp
• wikipedia-api

Share Improve this question Follow edited May 23, 2017 at 12:17 CommunityBot 111 silver badge asked May 8, 2016 at 23:47 AlexanAlexan 8,6271414 gold badges8282 silver badges106106 bronze badges 1

• 1 Pref-light response indicates Wikipedia does not support CORS - it does not contain any access-control-allow-origin and other access-control-allow-xxxxheaders. – Michal Foksa Commented May 9, 2016 at 4:50

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 16

To make JavaScript Fetch/XHR requests to Wikipedia, add origin=* to the URL query params.

So the base of the URL in the question should be like this:

https://en.wikipedia/w/api.php?origin=*&action=query…

See the CORS-related docs for the Wikipedia backend:

For anonymous requests, origin query string parameter can be set to * which will allow requests from anywhere.

---

2016-05-09 original answer

See “Enable cross-domain API requests in API's JSON responses”, an open bug for Wikimedia sites that indicates that they currently only support CORS requests from different Wikimedia sites themselves to other Wikimedia sites—but they do not support CORS requests from external sites.

See in particular https://phabricator.wikimedia/T62835#2191138 (from Apr 8, 2016) which is a summary that indicates they are considering to make a change to allow CORS request from external sites, but they have not yet enabled it.

2016-07-12 update

It seems they will be deploying CORS support today:

unauthenticated cross-domain API requests are now possible. This should be deployed to WMF wikis with 1.128.0-wmf.10, see https://www.mediawiki/wiki/MediaWiki_1.28/Roadmap for the schedule

https://www.mediawiki/wiki/MediaWiki_1.28/Roadmap indicates the 1.128.0-wmf.10 deployment dates are 12 July 2016 to 14 July 2016.

2016-08-05 update

As torvin notes in a ment below:

to trigger the new behaviour, you need to specify origin=* in your url params. This is currently buried in the T62835 discussion and is not stated in the documentation yet.