[MediaWiki-commits] [Gerrit] Fixed CORS issue with MW api calls - change (mediawiki...Graph)

[jenkins-bot (Code Review)]

jenkins-bot has submitted this change and it was merged.

Change subject: Fixed CORS issue with MW api calls
......................................................................


Fixed CORS issue with MW api calls

Added origin parameter with the current protocol+host when making api
calls to the non-same-origin domains.

Bug: T122488
Change-Id: I60d77f84fc01b8eee3a65e2db4f5d7437df3ca06
---
M modules/graph2.js
1 file changed, 13 insertions(+), 8 deletions(-)

Approvals:
  Alex Monk: Looks good to me, but someone else must approve
  Yurik: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/graph2.js b/modules/graph2.js
index 8a51f09..22f4bb5 100644
--- a/modules/graph2.js
+++ b/modules/graph2.js
@@ -45,6 +45,7 @@
        originalSanitize = vg.util.load.sanitizeUrl.bind( vg.util.load );
        vg.util.load.sanitizeUrl = function ( opt ) {
                var path, query,
+                       location = window.location,
                        url = new mw.Uri( opt.url );
 
                switch ( url.protocol ) {
@@ -103,20 +104,24 @@
                                break;
                }
 
+               if ( location.hostname.toLowerCase() === url.host.toLowerCase() 
) {
+                       if ( !mw.config.get( 'wgGraphIsTrusted' ) ) {
+                               // Only send this header when hostname is the 
same
+                               // This is broader than the same-origin policy, 
but playing on the safer side
+                               opt.headers = { 'Treat-as-Untrusted': 1 };
+                       }
+               } else if ( opt.isApiCall ) {
+                       // All CORS api calls require origin parameter
+                       // It would be better to use location.origin, but 
apparently it's not universal yet
+                       query.origin = location.protocol + '//' + location.host;
+               }
+
                opt.url = new mw.Uri( {
                        host: url.host,
                        port: url.port,
                        path: path,
                        query: query
                } ).toString();
-
-               if ( !mw.config.get( 'wgGraphIsTrusted' ) &&
-                       window.location.hostname.toLowerCase() === 
url.host.toLowerCase()
-               ) {
-                       // Only send this header when hostname is the same
-                       // This is broader than the same-origin policy, but 
playing on the safer side
-                       opt.headers = { 'Treat-as-Untrusted': 1 };
-               }
 
                return originalSanitize.call( vg.util.load, opt );
        };

-- 
To view, visit https://gerrit.wikimedia.org/r/261200
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I60d77f84fc01b8eee3a65e2db4f5d7437df3ca06
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Graph
Gerrit-Branch: wmf/1.27.0-wmf.9
Gerrit-Owner: Yurik <yu...@wikimedia.org>
Gerrit-Reviewer: Alex Monk <kren...@gmail.com>
Gerrit-Reviewer: Yurik <yu...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits