16 public const CONSTRUCTOR_OPTIONS = [
29 private $responseFactory;
45 $this->options = $options;
46 $this->responseFactory = $responseFactory;
64 && !$this->user->isRegistered()
66 $origin = Origin::parseHeaderList( $request->
getHeader(
'Origin' ) );
68 if ( !$this->allowOrigin( $origin ) ) {
69 return 'rest-cross-origin-anon-write';
80 private function allowOrigin(
Origin $origin ): bool {
81 $allowed = array_merge( [ $this->getCanonicalDomain() ],
85 return $origin->
match( $allowed, $excluded );
91 private function getCanonicalDomain(): string {
92 $res = parse_url( $this->options->get(
MainConfigNames::CanonicalServer ) );
93 '@phan-var array $res';
95 $host = $res[
'host'] ??
'';
96 $port = $res[
'port'] ??
null;
98 return $port ?
"$host:$port" : $host;
116 $allowedOrigin =
'*';
118 if ( $this->options->get( MainConfigNames::RestAllowCrossOriginCookieAuth ) ) {
127 $response->
addHeader(
'Vary',
'Origin' );
130 if ( $request->hasHeader(
'Origin' ) ) {
131 $origin = Origin::parseHeaderList( $request->getHeader(
'Origin' ) );
132 if ( $this->allowOrigin( $origin ) ) {
136 if ( $request->getMethod() ===
'OPTIONS' || $this->user->isRegistered() ) {
151 if ( $allowedOrigin !==
'*' ) {
152 $response->setHeader(
'Access-Control-Allow-Credentials',
'true' );
155 $response->setHeader(
'Access-Control-Allow-Origin', $allowedOrigin );
167 $response = $this->responseFactory->createNoContent();
168 $response->
setHeader(
'Access-Control-Allow-Methods', $allowedMethods );
170 $allowedHeaders = $this->options->get( MainConfigNames::AllowedCorsHeaders );
171 $allowedHeaders = array_merge( $allowedHeaders, array_diff( [
180 ], $allowedHeaders ) );
181 $response->setHeader(
'Access-Control-Allow-Headers', $allowedHeaders );
if(!defined('MW_SETUP_CALLBACK'))
A class containing constants representing the names of configuration variables.
const CrossSiteAJAXdomainExceptions
Name constant for the CrossSiteAJAXdomainExceptions setting, for use with Config::get()
const CanonicalServer
Name constant for the CanonicalServer setting, for use with Config::get()
const AllowCrossOrigin
Name constant for the AllowCrossOrigin setting, for use with Config::get()
const AllowedCorsHeaders
Name constant for the AllowedCorsHeaders setting, for use with Config::get()
const CrossSiteAJAXdomains
Name constant for the CrossSiteAJAXdomains setting, for use with Config::get()
const RestAllowCrossOriginCookieAuth
Name constant for the RestAllowCrossOriginCookieAuth setting, for use with Config::get()