[MediaWiki-CVS] SVN: [54127] trunk/phase3

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/54127

Revision: 54127
Author:   mrzman
Date:     2009-07-31 21:56:34 +0000 (Fri, 31 Jul 2009)

Log Message:
-----------
(bug 19907) Adds support for cross-domain AJAX requests to the API.
Uses the Access-Control-Allow-Origin header for browsers that support it.
<http://dev.w3.org/2006/waf/access-control/>
$wgCrossSiteAJAXdomains can be set to '*' to allow requests from any domain,
an array of domains to allow, or, if $wgCrossSiteAJAXdomainsRegex is true,
an array of regexes to match against the request origin

Modified Paths:
--------------
    trunk/phase3/RELEASE-NOTES
    trunk/phase3/api.php
    trunk/phase3/includes/DefaultSettings.php

Modified: trunk/phase3/RELEASE-NOTES
===================================================================
--- trunk/phase3/RELEASE-NOTES  2009-07-31 21:47:48 UTC (rev 54126)
+++ trunk/phase3/RELEASE-NOTES  2009-07-31 21:56:34 UTC (rev 54127)
@@ -76,6 +76,8 @@
   PHP and database version.
 * $wgSecondaryGoNamespaces allows an arry of namespaces to be checked when the
   GO button is pressed, in addition to the main namespace.
+* (bug 19907) $wgCrossSiteAJAXdomains and $wgCrossSiteAJAXdomainsRegex added 
+  to control which external domains may access the API via cross-site AJAX.
 
 === New features in 1.16 ===
 
@@ -403,6 +405,9 @@
 * Added fields to list=search output: size, wordcount, timestamp, snippet
 * Where supported by backend, list=search adds a 'searchinfo' element with
   optional info: 'totalhits' count and 'suggestion' alternate query term
+* (bug 19907) $wgCrossSiteAJAXdomains added to allow specified (or all)
+  external domains to access api.php via AJAX, if the browser supports the 
+  Access-Control-Allow-Origin HTTP header
 
 === Languages updated in 1.16 ===
 

Modified: trunk/phase3/api.php
===================================================================
--- trunk/phase3/api.php        2009-07-31 21:47:48 UTC (rev 54126)
+++ trunk/phase3/api.php        2009-07-31 21:56:34 UTC (rev 54127)
@@ -69,6 +69,25 @@
        die(1);
 }
 
+// Selectively allow cross-site AJAX
+if ( $wgCrossSiteAJAXdomains && isset($_SERVER['HTTP_ORIGIN']) ) {
+       if ( $wgCrossSiteAJAXdomains == '*' ) {
+               header( "Access-Control-Allow-Origin: 
{$_SERVER['HTTP_ORIGIN']}" );
+               header( 'Access-Control-Allow-Credentials: true' );
+       } elseif ( $wgCrossSiteAJAXdomainsRegex ) {
+               foreach ( $wgCrossSiteAJAXdomains as $regex ) {
+                       if ( preg_match( $regex, $_SERVER['HTTP_ORIGIN'] ) ) {
+                               header( "Access-Control-Allow-Origin: 
{$_SERVER['HTTP_ORIGIN']}" );
+                               header( 'Access-Control-Allow-Credentials: 
true' );
+                               break;
+                       }
+               }
+       } elseif ( in_array( $_SERVER['HTTP_ORIGIN'], $wgCrossSiteAJAXdomains ) 
) {
+               header( "Access-Control-Allow-Origin: 
{$_SERVER['HTTP_ORIGIN']}" );
+               header( 'Access-Control-Allow-Credentials: true' );
+       }
+}
+
 // So extensions can check whether they're running in API mode
 define('MW_API', true);
 

Modified: trunk/phase3/includes/DefaultSettings.php
===================================================================
--- trunk/phase3/includes/DefaultSettings.php   2009-07-31 21:47:48 UTC (rev 
54126)
+++ trunk/phase3/includes/DefaultSettings.php   2009-07-31 21:56:34 UTC (rev 
54127)
@@ -4121,3 +4121,25 @@
  * Array: Ids of namespaces to attempt match in, in desired order.
  */
 $wgSecondaryGoNamespaces = null;
+
+
+/**
+ * Settings for incoming cross-site AJAX requests:
+ * Newer browsers support cross-site AJAX when the target resource allows 
requests
+ * from the origin domain by the Access-Control-Allow-Origin header.
+ * This is currently only used by the API (requests to api.php)
+ * $wgCrossSiteAJAXdomains can be set as follows:
+ * 
+ * - the string '*' to allow requests from any domain
+ * - an array of domains to allow AJAX requests from, e.g.
+ *   array( 'http://en.wikipedia.org', 'http://en.wikibooks.org' );
+ * - if $wgCrossSiteAJAXdomainsRegex is true, an array of regexes to be
+ *   matched against the request origin. Anything that matches will be allowed
+ */
+$wgCrossSiteAJAXdomains = array();
+
+/**
+ * Set to true to treat $wgCrossSiteAJAXdomains as regexes instead of strings
+ */
+$wgCrossSiteAJAXdomainsRegex = false;
+



_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS@xxxxxxxxxxxxxxxxxxx
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs