[MediaWiki-commits] [Gerrit] [WIP] Only return CORS headers in the response as required - change (mediawiki/core)

Thu, 04 Dec 2014 06:53:06 -0800 

TheDJ has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/177545

Change subject: [WIP] Only return CORS headers in the response as required
......................................................................

[WIP] Only return CORS headers in the response as required

- Really, totally, Untested.
- Split out responses of preflight and actual CORS requests
- If the request is not CORS valid, don't set the CORS response headers

Note that invalid CORS requests should not actually throw error
responses, the client should simply not handle the response because the
response does not have the right headers (it's a client side policy
error not an http error). We do throw a 403 for a mismatch with the
queryparam, but since that is 'outside' of the spec, that might be
appropriate.

Bug: T76701
Change-Id: Ib296c68babe5c0b380268ee7793b3d6d35b9c3e3
---
M includes/api/ApiMain.php
1 file changed, 17 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/45/177545/1

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 3d04f95..d038fb2 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -498,12 +498,28 @@
 
                $request = $this->getRequest();
                $response = $request->response();
+
                // Origin: header is a space-separated list of origins, check 
all of them
                $originHeader = $request->getHeader( 'Origin' );
                if ( $originHeader === false ) {
-                       $origins = array();
+                       // Origin header is required for any CORS headers on 
the response 
+                       return true;
                } else {
                        $origins = explode( ' ', $originHeader );
+               }
+
+               $requestedMethod = $request->getHeader( 
'Access-Control-Request-Method' );
+               if ( $request->getMethod() === 'OPTIONS' && $requestedMethod 
!== false ) {
+                       // This is a CORS preflight request
+                       if ( $requestedMethod === 'POST' || $requestedMethod 
=== 'GET' ) {
+                               // We only allow the actual request to be GET 
or POST
+                               $response->header( 
'Access-Control-Allow-Methods: POST, GET' );
+
+                               // We allow the actual request to send the 
following headers
+                               $response->header( 
'Access-Control-Allow-Headers: Api-User-Agent' );
+                       } else {
+                               return true;
+                       }
                }
 
                if ( !in_array( $originParam, $origins ) ) {
@@ -527,7 +543,6 @@
                if ( $matchOrigin ) {
                        $response->header( "Access-Control-Allow-Origin: 
$originParam" );
                        $response->header( 'Access-Control-Allow-Credentials: 
true' );
-                       $response->header( 'Access-Control-Allow-Headers: 
Api-User-Agent' );
                        $this->getOutput()->addVaryHeader( 'Origin' );
                }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/177545
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib296c68babe5c0b380268ee7793b3d6d35b9c3e3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: TheDJ <hartman.w...@gmail.com>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to