CAS CORS issue on logout in MW 1.35 #15
Description
Hi folks, we recently upgraded from MediaWiki 1.31 LTS to 1.35 LTS and ran into a problem with CAS logouts due to MW1.35's change to using an AJAX post for logout rather than the default link following behavior. This new behavior was added in https://phabricator.wikimedia.org/T222626 . This may not be an issue for others if your CAS server sets CORS headers that allow the /cas/logout path to be accessed as part of AJAX requests, but our currently doesn't.
The work-around I ended up using is to comment out the Javascript code in MediaWiki that takes over the interaction for the logout link. This makes logout a two-click process, but one that has the benefit of not failing with CORS errors.
diff --git a/mediawiki/resources/src/mediawiki.page.ready/ready.js b/mediawiki/resources/src/mediawiki.page.ready/ready.j
index 6acffdf..a6f19a6 100644
--- a/mediawiki/resources/src/mediawiki.page.ready/ready.js
+++ b/mediawiki/resources/src/mediawiki.page.ready/ready.js
@@ -67,6 +67,12 @@ $( function () {
e.preventDefault();
} );
+/*
+ // Commented out by Adam Franco 2021-06-22 to avoid CORS issues with sending
+ // the CAS logout request via AJAX rather than a full client redirect.
+ // This code to turn the logout link into an AJAX POST was added in:
+ // https://phabricator.wikimedia.org/T222626
+
// Turn logout to a POST action
$( '#pt-logout a[data-mw="interface"]' ).on( 'click', function ( e ) {
var api = new mw.Api(),
@@ -90,6 +96,7 @@ $( function () {
);
e.preventDefault();
} );
+*/
} );
/**
If anyone has suggestions for alternate fixes that don't involve modifying the CAS server I'd be interested in hearing your ideas.