I just realized that this change alone is not enough to fulfill the use case we were discussing – it should be enough to make AC/DC consume page piles, but not to make other gadgets (VisualFileChange, Cat-a-lot, …) produce them. I’m not sure how to do that securely, to be honest.
That said… given that pile creation currently doesn’t require a POST request, let alone any kind of CSRF token, and I could therefore cause the creation of loads of page piles by putting something like
into MediaWiki:common.css (or any other website I control), I'm not sure if this is something you're even concerned about. So perhaps it's enough to add a header Access-Control-Allow-Origin: $origin to any responses where the request origin is a Wikimedia site? (I haven’t thought this through yet.)
Thanks for merging! But for some reason it’s not working…
I can see that the code is deployed (grep Access-Control-Allow-Origin ~tools.pagepile/public_html/api.php), but the header isn't there. Any ideas why? Locally (under Apache, with some temporary hacks to work around missing require_once and get_request) it seems to work, and I can successfully set the header in Wikidata Lexeme Forms (curl -I https://tools.wmflabs.org/lexeme-forms/api/v1/template/english-noun), so I don’t think the front-end proxy (nginx, right?) strips it out. But perhaps lighttpd doesn’t allow it?
Well, I figured out why it wasn’t working – see #7.