Anomie has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/354646 )
Change subject: ApiSandbox: Indiciate when login is suppressed ...................................................................... ApiSandbox: Indiciate when login is suppressed ApiMain will add a header to indicate that lacksSameOriginSecurity() forced the request to be processed as if logged out, and ApiSandbox will detect this header to display a helpful message on the results page. Bug: T165797 Change-Id: I56390b31563c75d83cf0a8ffb1b8e4f3283895f0 --- M includes/api/ApiMain.php M languages/i18n/en.json M languages/i18n/qqq.json M resources/Resources.php M resources/src/mediawiki.special/mediawiki.special.apisandbox.js 5 files changed, 14 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/46/354646/1 diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 00f976e..d7586e0 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -236,6 +236,7 @@ wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" ); $wgUser = new User(); $this->getContext()->setUser( $wgUser ); + $request->response()->header( 'MediaWiki-Login-Suppressed: true' ); } } @@ -778,7 +779,8 @@ if ( !$preflight ) { $response->header( - 'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag' + 'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag, ' + . 'MediaWiki-Login-Suppressed' ); } } diff --git a/languages/i18n/en.json b/languages/i18n/en.json index fcdbfdc..04d9dc1 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -2012,6 +2012,7 @@ "apisandbox-sending-request": "Sending API request...", "apisandbox-loading-results": "Receiving API results...", "apisandbox-results-error": "An error occurred while loading the API query response: $1.", + "apisandbox-results-login-suppressed": "This request has been processed as a logged-out user as it could be used to bypass browser Same-Origin security. Note that ApiSandbox's automatic token handling does not work properly with such requests, please fill them in manually.", "apisandbox-request-selectformat-label": "Show request data as:", "apisandbox-request-format-url-label": "URL query string", "apisandbox-request-url-label": "Request URL:", diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json index fbd943d..a161629 100644 --- a/languages/i18n/qqq.json +++ b/languages/i18n/qqq.json @@ -2200,6 +2200,7 @@ "apisandbox-sending-request": "JavaScript message displayed while the request is being sent.", "apisandbox-loading-results": "JavaScript message displayed while the response is being read.", "apisandbox-results-error": "Displayed as an error message from JavaScript when the request failed.\n\nParameters:\n* $1 - Error message", + "apisandbox-results-login-suppressed": "Displayed as a warning when a request was processed as a logged-out user to avoid Same-Origin security bypass.", "apisandbox-request-selectformat-label": "Label for the format selector on the results page.", "apisandbox-request-format-url-label": "Label for the menu item to select URL format.\n\nSee also:\n* {{msg-mw|apisandbox-request-selectformat-label}}\n* {{msg-mw|apisandbox-request-url-label}}", "apisandbox-request-url-label": "Label for the text field displaying the URL used to make this request.\n\nSee also:\n* {{msg-mw|apisandbox-request-format-url-label}}", diff --git a/resources/Resources.php b/resources/Resources.php index 4c9934d..1017956 100644 --- a/resources/Resources.php +++ b/resources/Resources.php @@ -1900,6 +1900,7 @@ 'apisandbox-sending-request', 'apisandbox-loading-results', 'apisandbox-results-error', + 'apisandbox-results-login-suppressed', 'apisandbox-request-selectformat-label', 'apisandbox-request-format-url-label', 'apisandbox-request-url-label', diff --git a/resources/src/mediawiki.special/mediawiki.special.apisandbox.js b/resources/src/mediawiki.special/mediawiki.special.apisandbox.js index f53850a..6916477 100644 --- a/resources/src/mediawiki.special/mediawiki.special.apisandbox.js +++ b/resources/src/mediawiki.special/mediawiki.special.apisandbox.js @@ -1120,9 +1120,16 @@ } ) .done( function ( data, jqXHR ) { var m, loadTime, button, clear, - ct = jqXHR.getResponseHeader( 'Content-Type' ); + ct = jqXHR.getResponseHeader( 'Content-Type' ), + loginSuppressed = jqXHR.getResponseHeader( 'MediaWiki-Login-Suppressed' ) || 'false'; $result.empty(); + if ( loginSuppressed !== 'false' ) { + $( '<div>' ) + .addClass( 'warning' ) + .append( Util.parseMsg( 'apisandbox-results-login-suppressed' ) ) + .appendTo( $result ); + } if ( /^text\/mediawiki-api-prettyprint-wrapped(?:;|$)/.test( ct ) ) { data = JSON.parse( data ); if ( data.modules.length ) { -- To view, visit https://gerrit.wikimedia.org/r/354646 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I56390b31563c75d83cf0a8ffb1b8e4f3283895f0 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Anomie <bjor...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits