You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -67,3 +67,13 @@ Any additional development though would be done within the extension itself. Suc
If not already explicitly included above, any existing action API modules that are intended for use with other action API modules, such as those provided by MediaWiki core, are excluded from the scope of this specification.
For example the `entityterms` module which can be combined with other MediaWiki page lookups to retrieve terms of a connected entity from something like pageid or category list.
## Acknowledged (possible) need for follow-ups
### Authentication
This proposal envisages authentication through the use of HTTP headers. Clients must be crafted in a way that they are in possession of a token and actively send it as part of the requests they perform.
Authentication through cookies is not supported in this proposal and client software can not passively rely on a user agent to maintain login state across requests. This renders [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks impossible and eliminates the need for "CSRF tokens" to be embedded into request bodies.
This proposal does not elaborate how clients can reach possession of such a token and a decision if an exclusive binding to [OAuth](https://www.mediawiki.org/wiki/OAuth/For_Developers) is desired or feasible in the current state has not been reached.
