API:クロスサイト リクエスト

This page is a translated version of the page API:Cross-site requests and the translation is 38% complete.

If an external site needs to make an API call against a MediaWiki site, it must use CORS (preferred) or JSONP (older, less secure).

User scripts and gadgets within the same wiki-family (e.g. a script on the English Wikipedia needs to check image information on Commons) should use mediawiki.ForeignApi , which uses CORS under the hood.

CORS の使用

The MediaWiki API requires that the origin be supplied as a query string parameter, with the value being the site from which the request originates, which is matched against the Origin header required by the CORS protocol. Note that this parameter must be included in any pre-flight request, and so should be included in the query string portion of the request URI even for POST requests.

When the origin parameter is supplied and the request does not return a successful CORS response, MediaWiki≥1.30 will return a MediaWiki-CORS-Rejection header with a brief reason for the failure, e.g. in case of mismatched origin or unsupported headers in a Access-Control-Request-Headers request header.

Unauthenticated CORS Requests

Unauthenticated CORS requests may be made from any origin by setting the origin request parameter to *. In this case MediaWiki will include the Access-Control-Allow-Credentials: false header in the response and will process the request as if logged out.

GET リクエスト

ウィキメディアコモンズから最初の3つの画像の名前を取得します。

サンプル コード

var apiEndpoint = "https://commons.wikimedia.org/w/api.php";
var params = "action=query&list=allimages&ailimit=3&format=json";

/**
 * Send the request to get the images
 */
fetch(apiEndpoint + "?" + params + "&origin=*")
    .then(function(response){return response.json();})
    .then(function(response) {
          var allimages = response.query.allimages; // Process the output to get the image names
          Object.keys(allimages).forEach(function(key) {
               console.log(allimages[key].name);
          });
     });

レスポンス

!!!!!_Mdina_Fortifications,_Ditch,_Bridge_and_Main_Gate.jpg
!!!!_Mdina_buildings_!!!!.jpg
!!!!_Palazzo_Dorell_ancillary_building.jpg

Authenticated CORS Requests

To make an authenticated CORS request, the remote wiki's $wgCrossSiteAJAXdomains setting must be set to allow the origin site. If the CORS origin check passes, MediaWiki will include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may be sent.

Manual:CORS では、JavaScript で CORS を呼び出す、より多くの手順と例を記しています。

JSONP の使用

The API's format=json accepts a callback parameter, whose value is a JavaScript function which the JSON result will be wrapped in. This may be used to call the API on a remote site by dynamically adding ‎<script> tags to the document.

Using JSONP weakens the security of your origin site because, as described above, API responses are executed as JavaScript code. If an attacker compromises the remote site, they can use their access to run arbitrary JavaScript code in your users' browsers, within the context of your site. It is recommended to use CORS instead.
Any JSONP requests will be processed as if logged out (i.e as an anonymous user), even after logging in to the remote wiki.

GET リクエスト

英語版ウィキペディアからランダムな3ページのタイトルを取得します

サンプル コード

var apiEndpoint = "https://en.wikipedia.org/w/api.php";
var params = "action=query&list=random&rnlimit=3&format=json";

/**
 * The function to wrap the result
 */
window.my_callback = function (response) {
    var pages = response.query.random; // Process the output to get the titles
    Object.keys(pages).forEach(function(key) {
        console.log(pages[key].title);
    });
};

var scriptTag = document.createElement("script"); // Dynamically create a "script" tag
scriptTag.src = apiEndpoint + "?" + params + "&callback=my_callback"; // Point to the query string

document.body.appendChild(scriptTag); // Add the script tag to the document

レスポンス

Kache Aye Shoi
Talk:Sarbka, Wągrowiec County
Category:Nakhon Ratchasima Province

関連項目