addVaryHeader() converts $options to an array, so null values (no XVO
options) are converted to empty arrays. This led to headers like:
X-Vary-Options: Foo;string-contains=bar,Baz;,Quux;string-contains=xyz
This fix changes the "Baz;," part to "Baz,"
Change-Id: I2fa0b374f5d4cfa6b894cbd9de8c14354f04ad86
Fix for r10265: OutputPage::uncacheableBecauseRequestvars() as written
in that revision is backwards, apparently declaring all requests to be
uncacheable except those with useskin or uselang. Luckily getText() has
always converted its default parameter to a string, so the triple-equals
comparisons always fail, and uncacheableBecauseRequestvars() always
returns false.
In any case, it was never necessary to suppress the client-side cache
for useskin/uselang views, so the accidental behaviour was appropriate.
Change-Id: I520940867509b986a47d63ead9b549e8aa82fa1f
loader.
Site, user, and user.groups modules are pre-registered in JS client-side
loader. This prevents loading them again if they're given as explicit
dependencies of some other module.
Enabled modules are registered as "loading", disabled ones as "missing".
Empty modules register themselves as "ready".
Also adapt the client-side mw.loader.state to ensure that dependencies
are tracked if called with state "ready".
Note the FIXME in OutputPage.php; methinks this is an already existing
issue not fixed by this change.
Changeset 2: fix bug number in commit message (32537, not 32357!)
Changeset 3: change 'ready' registration as discussed; adapt line
lengths; clean up client-side code.
Changeset 4: "missing" status for disabled modules.
Change-Id: I595b3af1900d4bec0c35940ef51a19c8a7440faa
...that returns head tags as associative array for the benefit of skin
makers who don't want to output every <meta> tag in the universe.
Patchset 2: make sure that array keys are unique
Change-Id: I6fa3c954d603e0e401cbdb68975d536cf07e11ab
* (bug 35317) CSRF in Special:Upload
Revert r56793, which removed the CSRF check for Special:Upload for normal file
uploads. Cross-site posting of file uploads without user interaction has been
possible since at least as early as Chrome 8 (late 2010) and Firefox 6 (mid
2011).
Commonist has used api.php since version 0.4.0 (April 2010), and the API
already requires an edit token, so Commonist 0.4.0+ is not affected by this
change.
* (bug 34907) Fix for CSRF vulnerability due to mw.user.tokens. Patch by Roan
Kattouw and Tim Starling.
* Filter out private modules early in ResourceLoader::makeResponse() and just
pretend they weren't specified. This means these modules cannot be loaded
through load.php . This filtering must not happen in makeModuleResponse(),
because that would break inlining.
* Force inlining of private modules in OutputPage::makeResourceLoaderLink(),
disregarding $wgResourceLoaderInlinePrivateModules
* Remove $wgResourceLoaderInlinePrivateModules
* Remove special treatment of private modules ($private) in
ResourceLoader::makeResponse() and sendResponseHeaders(), because we're not
allowing private modules to be loaded through here any more
* Remove identity checks in ResourceLoaderUserOptionsModule and
ResourceLoaderUserCSSPrefsModule, they didn't make a lot of sense before but
they're certainly useless now.
* Factored out error comment construction in ResourceLoader.php and stripped
comment terminations from exception messages. I didn't find an XSS
vulnerability but it looked scary.
Patchset2:
Removes whitespace error that prevented automatic merge by Gerrit:
includes/resourceloader/ResourceLoaderUserOptionsModule.php
Change-Id: I2dec8b8caf9db3c64919763865cc10cccdd6a1a3
* Introduces $wgPreloadJavaScriptMwUtil
* Instead of loading mediawiki.util as base module from the bottom, now loading it from queue position "top" if $wgPreloadJavaScriptMwUtil is true. And if false it'll remain in the bottom in practice as implied by other modules loading it as a dependency (i.e. mediawiki.page.ready depends on it)
* Fixes bug 33746
* Removed 'pcache_miss_invalid' from stats.php and clear_stats.php, no longer used
* Added missing 'job-insert' and 'job-pop' to clear_stats.php
* Added missing call to wfIncrStats( 'pcache_miss_absent' ) when there's no key in ParserCacge::get()
* Removed useless 'pcache_not_possible' stat from OutputPage::addWikiTextTitle() since that function is mostly used for interface messages
* Action/Context stuff is pretty deeply nested everywhere.
* Should be okay now, at last.
* Reverts reverting r109243
* Same as r109223, except adding this:
+ if ( !$context->canUseWikiPage() ) {
+ return 'view';
+ }
* Add the mediawiki.debug module from OutputPage::addDefaultModules() along with other modules
* Get the request information when building the JS output instead of in Setup.php
* Fixes bug 4438
* Depends on r108342. See also r108343 which did a similar thing for mw.config wgAction
Previously attempted in r91871, which was reverted in r94131.
Added in OutputPage instead of Skin::getPageClasses, as this is not directly page nor skin related. It also ensures independency from skins, this CSS class should be always available so that it can be relied on by the front-end.
* Moved message parsing (including $1 replacement) to Message.prototype.parser(), and let jqueryMsg override that when loaded
** Make the Message constructor public to make this possible
** Moved logic for skipping jqueryMsg when the message is simple from mw.Message to mw.jqueryMsg, where it belongs
* Remove mw.jqueryMsg from the default modules list in OutputPage. Modules that require PLURAL/GENDER should depend on mw.jqueryMsg
* TODOs
** The jqueryMsg parser is recreated for every mw.msg() call. It should probably be cached, but the only way I can think of is to add it as a member of the Map object, which is kind of weird
** Because jqueryMsg doesn't support a 'text' mode that expands PLURAL/GENDER but doesn't output HTML (leaves e.g. links alone), mw.Message.plain() and mw.Message.parse() currently behave identically. This is wrong and should be fixed, but that needs support in jqueryMsg too
Follow up r107556 and based on the discussions on wikitech-l about this.
mediawiki.jqueryMsg is now loaded always. mw.msg uses the parser if required.
Add qunit test cases.
* Added a "blocking" state to mw.loader . When loading scripts while the document is not ready, the loader will use document.write() if blocking is true, and append to the <body> or the <head> if blocking is false. If the document is ready, the loader will always append to the <body>
* Enable blocking mode while loading the top queue, and disable it after. This ensures that modules in the top queue are still loaded in a blocking way as they were before
* If $wgResourceLoaderExperimentalAsyncLoading is true, the bottom queue is also loaded in the head, but with blocking mode disabled. Otherwise, it's loaded at the bottom of the <body> as before
* scripts-only and messages-only requests need special treatment:
** in the top queue, they can continue to use <script src="..."> tags because they are blocking
** if the bottom queue is at the bottom of the <body> (experimental async loading disabled), they can continue to use <script src="..."> tags as before
** if the bottom queue is in the <head> (experimental async loading enabled), they cannot use <script src="..."> tags, because those would block. Instead, call mw.loader.load() on the load.php URL
