From 06802684e00a92e73fdbd5297cbf47400935c754 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Sat, 20 May 2017 11:40:17 +0200
Subject: [PATCH] ApiSandbox: Indicate when login is suppressed

ApiMain will add a header to indicate that lacksSameOriginSecurity()
forced the request to be processed as if logged out, and ApiSandbox will
detect this header to display a helpful message on the results page.

Bug: T165797
Change-Id: I56390b31563c75d83cf0a8ffb1b8e4f3283895f0
---
 includes/api/ApiMain.php                                 | 4 +++-
 languages/i18n/en.json                                   | 1 +
 languages/i18n/qqq.json                                  | 1 +
 resources/Resources.php                                  | 1 +
 .../mediawiki.special/mediawiki.special.apisandbox.js    | 9 ++++++++-
 5 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 00f976e907..d7586e0822 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -236,6 +236,7 @@ class ApiMain extends ApiBase {
 				wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" );
 				$wgUser = new User();
 				$this->getContext()->setUser( $wgUser );
+				$request->response()->header( 'MediaWiki-Login-Suppressed: true' );
 			}
 		}
 
@@ -778,7 +779,8 @@ class ApiMain extends ApiBase {
 
 			if ( !$preflight ) {
 				$response->header(
-					'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag'
+					'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag, '
+					. 'MediaWiki-Login-Suppressed'
 				);
 			}
 		}
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index fcdbfdce6e..51a8f39d34 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -2012,6 +2012,7 @@
 	"apisandbox-sending-request": "Sending API request...",
 	"apisandbox-loading-results": "Receiving API results...",
 	"apisandbox-results-error": "An error occurred while loading the API query response: $1.",
+	"apisandbox-results-login-suppressed": "This request has been processed as a logged-out user as it could be used to bypass browser Same-Origin security. Note that the API sandbox's automatic token handling does not work properly with such requests, please fill them in manually.",
 	"apisandbox-request-selectformat-label": "Show request data as:",
 	"apisandbox-request-format-url-label": "URL query string",
 	"apisandbox-request-url-label": "Request URL:",
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index fbd943d0a0..a161629bce 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -2200,6 +2200,7 @@
 	"apisandbox-sending-request": "JavaScript message displayed while the request is being sent.",
 	"apisandbox-loading-results": "JavaScript message displayed while the response is being read.",
 	"apisandbox-results-error": "Displayed as an error message from JavaScript when the request failed.\n\nParameters:\n* $1 - Error message",
+	"apisandbox-results-login-suppressed": "Displayed as a warning when a request was processed as a logged-out user to avoid Same-Origin security bypass.",
 	"apisandbox-request-selectformat-label": "Label for the format selector on the results page.",
 	"apisandbox-request-format-url-label": "Label for the menu item to select URL format.\n\nSee also:\n* {{msg-mw|apisandbox-request-selectformat-label}}\n* {{msg-mw|apisandbox-request-url-label}}",
 	"apisandbox-request-url-label": "Label for the text field displaying the URL used to make this request.\n\nSee also:\n* {{msg-mw|apisandbox-request-format-url-label}}",
diff --git a/resources/Resources.php b/resources/Resources.php
index 4c9934dfec..1017956b2c 100644
--- a/resources/Resources.php
+++ b/resources/Resources.php
@@ -1900,6 +1900,7 @@ return [
 			'apisandbox-sending-request',
 			'apisandbox-loading-results',
 			'apisandbox-results-error',
+			'apisandbox-results-login-suppressed',
 			'apisandbox-request-selectformat-label',
 			'apisandbox-request-format-url-label',
 			'apisandbox-request-url-label',
diff --git a/resources/src/mediawiki.special/mediawiki.special.apisandbox.js b/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
index f53850a545..6916477cdc 100644
--- a/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
+++ b/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
@@ -1120,9 +1120,16 @@
 					} )
 					.done( function ( data, jqXHR ) {
 						var m, loadTime, button, clear,
-							ct = jqXHR.getResponseHeader( 'Content-Type' );
+							ct = jqXHR.getResponseHeader( 'Content-Type' ),
+							loginSuppressed = jqXHR.getResponseHeader( 'MediaWiki-Login-Suppressed' ) || 'false';
 
 						$result.empty();
+						if ( loginSuppressed !== 'false' ) {
+							$( '<div>' )
+								.addClass( 'warning' )
+								.append( Util.parseMsg( 'apisandbox-results-login-suppressed' ) )
+								.appendTo( $result );
+						}
 						if ( /^text\/mediawiki-api-prettyprint-wrapped(?:;|$)/.test( ct ) ) {
 							data = JSON.parse( data );
 							if ( data.modules.length ) {
-- 
2.20.1