ApiSandbox: Indicate when login is suppressed

ApiMain will add a header to indicate that lacksSameOriginSecurity()
forced the request to be processed as if logged out, and ApiSandbox will
detect this header to display a helpful message on the results page.

Bug: T165797
Change-Id: I56390b31563c75d83cf0a8ffb1b8e4f3283895f0

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 00f976e..d7586e0 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -236,6 +236,7 @@ class ApiMain extends ApiBase {
                                wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" );
                                $wgUser = new User();
                                $this->getContext()->setUser( $wgUser );
+                               $request->response()->header( 'MediaWiki-Login-Suppressed: true' );
                        }
                }
 
@@ -778,7 +779,8 @@ class ApiMain extends ApiBase {
 
                        if ( !$preflight ) {
                                $response->header(
-                                       'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag'
+                                       'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag, '
+                                       . 'MediaWiki-Login-Suppressed'
                                );
                        }
                }

diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index fcdbfdc..51a8f39 100644 (file)
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -2012,6 +2012,7 @@
        "apisandbox-sending-request": "Sending API request...",
        "apisandbox-loading-results": "Receiving API results...",
        "apisandbox-results-error": "An error occurred while loading the API query response: $1.",
+       "apisandbox-results-login-suppressed": "This request has been processed as a logged-out user as it could be used to bypass browser Same-Origin security. Note that the API sandbox's automatic token handling does not work properly with such requests, please fill them in manually.",
        "apisandbox-request-selectformat-label": "Show request data as:",
        "apisandbox-request-format-url-label": "URL query string",
        "apisandbox-request-url-label": "Request URL:",

diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index fbd943d..a161629 100644 (file)
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -2200,6 +2200,7 @@
        "apisandbox-sending-request": "JavaScript message displayed while the request is being sent.",
        "apisandbox-loading-results": "JavaScript message displayed while the response is being read.",
        "apisandbox-results-error": "Displayed as an error message from JavaScript when the request failed.\n\nParameters:\n* $1 - Error message",
+       "apisandbox-results-login-suppressed": "Displayed as a warning when a request was processed as a logged-out user to avoid Same-Origin security bypass.",
        "apisandbox-request-selectformat-label": "Label for the format selector on the results page.",
        "apisandbox-request-format-url-label": "Label for the menu item to select URL format.\n\nSee also:\n* {{msg-mw|apisandbox-request-selectformat-label}}\n* {{msg-mw|apisandbox-request-url-label}}",
        "apisandbox-request-url-label": "Label for the text field displaying the URL used to make this request.\n\nSee also:\n* {{msg-mw|apisandbox-request-format-url-label}}",

diff --git a/resources/Resources.php b/resources/Resources.php
index 4c9934d..1017956 100644 (file)
--- a/resources/Resources.php
+++ b/resources/Resources.php
@@ -1900,6 +1900,7 @@ return [
                        'apisandbox-sending-request',
                        'apisandbox-loading-results',
                        'apisandbox-results-error',
+                       'apisandbox-results-login-suppressed',
                        'apisandbox-request-selectformat-label',
                        'apisandbox-request-format-url-label',
                        'apisandbox-request-url-label',

diff --git a/resources/src/mediawiki.special/mediawiki.special.apisandbox.js b/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
index f53850a..6916477 100644 (file)
--- a/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
+++ b/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
@@ -1120,9 +1120,16 @@
                                        } )
                                        .done( function ( data, jqXHR ) {
                                                var m, loadTime, button, clear,
-                                                       ct = jqXHR.getResponseHeader( 'Content-Type' );
+                                                       ct = jqXHR.getResponseHeader( 'Content-Type' ),
+                                                       loginSuppressed = jqXHR.getResponseHeader( 'MediaWiki-Login-Suppressed' ) || 'false';
 
                                                $result.empty();
+                                               if ( loginSuppressed !== 'false' ) {
+                                                       $( '<div>' )
+                                                               .addClass( 'warning' )
+                                                               .append( Util.parseMsg( 'apisandbox-results-login-suppressed' ) )
+                                                               .appendTo( $result );
+                                               }
                                                if ( /^text\/mediawiki-api-prettyprint-wrapped(?:;|$)/.test( ct ) ) {
                                                        data = JSON.parse( data );
                                                        if ( data.modules.length ) {