TheDJ has uploaded a new change for review. https://gerrit.wikimedia.org/r/177545
Change subject: [WIP] Only return CORS headers in the response as required ...................................................................... [WIP] Only return CORS headers in the response as required - Really, totally, Untested. - Split out responses of preflight and actual CORS requests - If the request is not CORS valid, don't set the CORS response headers Note that invalid CORS requests should not actually throw error responses, the client should simply not handle the response because the response does not have the right headers (it's a client side policy error not an http error). We do throw a 403 for a mismatch with the queryparam, but since that is 'outside' of the spec, that might be appropriate. Bug: T76701 Change-Id: Ib296c68babe5c0b380268ee7793b3d6d35b9c3e3 --- M includes/api/ApiMain.php 1 file changed, 17 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/45/177545/1 diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 3d04f95..d038fb2 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -498,12 +498,28 @@ $request = $this->getRequest(); $response = $request->response(); + // Origin: header is a space-separated list of origins, check all of them $originHeader = $request->getHeader( 'Origin' ); if ( $originHeader === false ) { - $origins = array(); + // Origin header is required for any CORS headers on the response + return true; } else { $origins = explode( ' ', $originHeader ); + } + + $requestedMethod = $request->getHeader( 'Access-Control-Request-Method' ); + if ( $request->getMethod() === 'OPTIONS' && $requestedMethod !== false ) { + // This is a CORS preflight request + if ( $requestedMethod === 'POST' || $requestedMethod === 'GET' ) { + // We only allow the actual request to be GET or POST + $response->header( 'Access-Control-Allow-Methods: POST, GET' ); + + // We allow the actual request to send the following headers + $response->header( 'Access-Control-Allow-Headers: Api-User-Agent' ); + } else { + return true; + } } if ( !in_array( $originParam, $origins ) ) { @@ -527,7 +543,6 @@ if ( $matchOrigin ) { $response->header( "Access-Control-Allow-Origin: $originParam" ); $response->header( 'Access-Control-Allow-Credentials: true' ); - $response->header( 'Access-Control-Allow-Headers: Api-User-Agent' ); $this->getOutput()->addVaryHeader( 'Origin' ); } -- To view, visit https://gerrit.wikimedia.org/r/177545 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib296c68babe5c0b380268ee7793b3d6d35b9c3e3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: TheDJ <hartman.w...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits