16 public const CONSTRUCTOR_OPTIONS = [
35 $this->options = $options;
36 $this->responseFactory = $responseFactory;
54 && !$this->user->isRegistered()
56 $origin = Origin::parseHeaderList( $request->
getHeader(
'Origin' ) );
58 if ( !$this->allowOrigin( $origin ) ) {
59 return 'rest-cross-origin-anon-write';
70 private function allowOrigin(
Origin $origin ): bool {
71 $allowed = array_merge( [ $this->getCanonicalDomain() ],
75 return $origin->
match( $allowed, $excluded );
81 private function getCanonicalDomain(): string {
82 $res = parse_url( $this->options->get(
MainConfigNames::CanonicalServer ) );
83 '@phan-var array $res';
85 $host = $res[
'host'] ??
'';
86 $port = $res[
'port'] ??
null;
88 return $port ?
"$host:$port" : $host;
106 $allowedOrigin =
'*';
108 if ( $this->options->get( MainConfigNames::RestAllowCrossOriginCookieAuth ) ) {
117 $response->
addHeader(
'Vary',
'Origin' );
120 if ( $request->hasHeader(
'Origin' ) ) {
121 $origin = Origin::parseHeaderList( $request->getHeader(
'Origin' ) );
122 if ( $this->allowOrigin( $origin ) ) {
126 if ( $request->getMethod() ===
'OPTIONS' || $this->user->isRegistered() ) {
141 if ( $allowedOrigin !==
'*' ) {
142 $response->setHeader(
'Access-Control-Allow-Credentials',
'true' );
145 $response->setHeader(
'Access-Control-Allow-Origin', $allowedOrigin );
157 $response = $this->responseFactory->createNoContent();
158 $response->
setHeader(
'Access-Control-Allow-Methods', $allowedMethods );
160 $allowedHeaders = $this->options->get( MainConfigNames::AllowedCorsHeaders );
161 $allowedHeaders = array_merge( $allowedHeaders, array_diff( [
170 ], $allowedHeaders ) );
171 $response->setHeader(
'Access-Control-Allow-Headers', $allowedHeaders );
if(!defined('MW_SETUP_CALLBACK'))
A class containing constants representing the names of configuration variables.
const CrossSiteAJAXdomainExceptions
Name constant for the CrossSiteAJAXdomainExceptions setting, for use with Config::get()
const CanonicalServer
Name constant for the CanonicalServer setting, for use with Config::get()
const AllowCrossOrigin
Name constant for the AllowCrossOrigin setting, for use with Config::get()
const AllowedCorsHeaders
Name constant for the AllowedCorsHeaders setting, for use with Config::get()
const CrossSiteAJAXdomains
Name constant for the CrossSiteAJAXdomains setting, for use with Config::get()
const RestAllowCrossOriginCookieAuth
Name constant for the RestAllowCrossOriginCookieAuth setting, for use with Config::get()