Add option to enable cross-origin resource sharing (CORS) in REST API
When MediaWiki is not behind an intranet, it is completely safe to add the Access-Control-Allow-Origin: * header to responses and allow cross-origin sites to access the REST API. Bug: T232176 Change-Id: Ic0658039a6a46ee4f50c76f5d100450fdef7525a
This commit is contained in:
David Barratt
parent
1360226e1b
commit
ab06b05619
3 changed files with 34 additions and 4 deletions
|
|
@ -9619,6 +9619,16 @@ $wgWatchlistExpiryMaxDuration = '6 months';
|
|||
*/
|
||||
$wgManualRevertSearchRadius = 15;
|
||||
|
||||
/**
|
||||
* Allow anonymous cross origin requests.
|
||||
*
|
||||
* This should be disabled for intranet sites (sites behind a firewall).
|
||||
*
|
||||
* @since 1.36
|
||||
* @var bool
|
||||
*/
|
||||
$wgAllowCrossOrigin = false;
|
||||
|
||||
/**
|
||||
* For really cool vim folding this needs to be at the end:
|
||||
* vim: foldmarker=@{,@} foldmethod=marker
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ namespace MediaWiki\Rest;
|
|||
use ExtensionRegistry;
|
||||
use IContextSource;
|
||||
use MediaWiki;
|
||||
use MediaWiki\Config\ServiceOptions;
|
||||
use MediaWiki\MediaWikiServices;
|
||||
use MediaWiki\Rest\BasicAccess\MWBasicAuthorizer;
|
||||
use MediaWiki\Rest\Validator\Validator;
|
||||
|
|
@ -22,6 +23,13 @@ class EntryPoint {
|
|||
private $router;
|
||||
/** @var RequestContext */
|
||||
private $context;
|
||||
/** @var ServiceOptions */
|
||||
private $options;
|
||||
|
||||
/** @var array */
|
||||
private const CONSTRUCTOR_OPTIONS = [
|
||||
'AllowCrossOrigin',
|
||||
];
|
||||
|
||||
/**
|
||||
* @param IContextSource $context
|
||||
|
|
@ -96,7 +104,9 @@ class EntryPoint {
|
|||
$context,
|
||||
$request,
|
||||
$wgRequest->response(),
|
||||
$router );
|
||||
$router,
|
||||
new ServiceOptions( self::CONSTRUCTOR_OPTIONS, $conf )
|
||||
);
|
||||
$entryPoint->execute();
|
||||
}
|
||||
|
||||
|
|
@ -120,12 +130,13 @@ class EntryPoint {
|
|||
}
|
||||
|
||||
public function __construct( RequestContext $context, RequestInterface $request,
|
||||
WebResponse $webResponse, Router $router
|
||||
WebResponse $webResponse, Router $router, ServiceOptions $options
|
||||
) {
|
||||
$this->context = $context;
|
||||
$this->request = $request;
|
||||
$this->webResponse = $webResponse;
|
||||
$this->router = $router;
|
||||
$this->options = $options;
|
||||
}
|
||||
|
||||
public function execute() {
|
||||
|
|
@ -137,6 +148,10 @@ class EntryPoint {
|
|||
$response->getStatusCode() . ' ' .
|
||||
$response->getReasonPhrase() );
|
||||
|
||||
if ( $this->options->get( 'AllowCrossOrigin' ) ) {
|
||||
$this->webResponse->header( 'Access-Control-Allow-Origin: *' );
|
||||
}
|
||||
|
||||
foreach ( $response->getRawHeaderLines() as $line ) {
|
||||
$this->webResponse->header( $line );
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ namespace MediaWiki\Tests\Rest;
|
|||
use EmptyBagOStuff;
|
||||
use GuzzleHttp\Psr7\Stream;
|
||||
use GuzzleHttp\Psr7\Uri;
|
||||
use MediaWiki\Config\ServiceOptions;
|
||||
use MediaWiki\Permissions\PermissionManager;
|
||||
use MediaWiki\Rest\BasicAccess\StaticBasicAuthorizer;
|
||||
use MediaWiki\Rest\EntryPoint;
|
||||
|
|
@ -79,7 +80,9 @@ class EntryPointTest extends \MediaWikiIntegrationTestCase {
|
|||
RequestContext::getMain(),
|
||||
$request,
|
||||
$webResponse,
|
||||
$this->createRouter( $request ) );
|
||||
$this->createRouter( $request ),
|
||||
$this->createMock( ServiceOptions::class )
|
||||
);
|
||||
$entryPoint->execute();
|
||||
$this->assertTrue( true );
|
||||
}
|
||||
|
|
@ -105,7 +108,9 @@ class EntryPointTest extends \MediaWikiIntegrationTestCase {
|
|||
RequestContext::getMain(),
|
||||
$request,
|
||||
$this->createWebResponse(),
|
||||
$this->createRouter( $request ) );
|
||||
$this->createRouter( $request ),
|
||||
$this->createMock( ServiceOptions::class )
|
||||
);
|
||||
ob_start();
|
||||
$entryPoint->execute();
|
||||
$this->assertSame( 'hello', ob_get_clean() );
|
||||
|
|
|
|||
Loading…
Reference in a new issue