Skip to content

Commit

Permalink
Add support for crossorigin parameter
Browse files Browse the repository at this point in the history
This is a parameter I’m proposing for the Action API (see the linked
Gerrit change); as it affects CORS, it must be part of any preflight
request and thus be included in the URL, rather than the POST body, just
like the origin parameter. Let’s add support for it already so it can be
tested more easily. (If the parameters ends up not being merged after
all, we can remove this again.)
  • Loading branch information
lucaswerkmeister committed Sep 22, 2024
1 parent 22b207a commit b3baec3
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 3 deletions.
6 changes: 5 additions & 1 deletion CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ but this file may sometimes contain later improvements (e.g. typo fixes).

## next (not yet released)

No changes yet.
- Added experimental support for the upcoming `crossorigin` API parameter
(added in [Gerrit change I41200852ee][I41200852ee] for [T322944][]).
This may be reverted in a future release if the MediaWiki change is not merged after all.

## v0.8.3 (2024-09-07)

Expand Down Expand Up @@ -331,3 +333,5 @@ but I see no reason to recreate the tag now.
[m3api-doc-v0.7.1]: https://lucaswerkmeister.github.io/m3api/v0.7.1/
[m3api-oauth2]: https://www.npmjs.com/package/m3api-oauth2
[CVE-2023-45143]: https://github.com/advisories/GHSA-wqq4-5wpv-mx2g
[I41200852ee]: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/926663
[T322944]: https://phabricator.wikimedia.org/T322944
2 changes: 1 addition & 1 deletion core.js
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ function splitPostParameters( params ) {
const urlParams = {};
const bodyParams = {};
for ( const [ key, value ] of Object.entries( params ) ) {
if ( key === 'action' || key === 'origin' ) {
if ( key === 'action' || key === 'origin' || key === 'crossorigin' ) {
urlParams[ key ] = value;
} else {
bodyParams[ key ] = value;
Expand Down
18 changes: 18 additions & 0 deletions test/unit/core.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -1243,6 +1243,24 @@ describe( 'Session', () => {

} );

it( 'splits URL and body params', async () => {
const session = singleRequestSession( {
action: 'query',
list: 'search',
srsearch: 'test',
origin: '*',
crossorigin: '',
}, {}, 'POST' );
await session.request( {
action: 'query',
list: 'search',
srsearch: 'test',
origin: '*',
crossorigin: true,
}, { method: 'POST' } );
// actual assertions are in checkPostParams()
} );

} );

describe( 'requestAndContinue', () => {
Expand Down
15 changes: 14 additions & 1 deletion test/unit/sessions.js
Original file line number Diff line number Diff line change
Expand Up @@ -74,14 +74,27 @@ export function makeResponse( bodyOrResponse ) {
}
}

/**
* Check that the URL and body parameters are disjoint,
* that the URL parameters only include action/origin/crossorigin
* and that the body paramaters don’t include those parameters.
*
* @param {Object} urlParams
* @param {Object} bodyParams
*/
function checkPostParams( urlParams, bodyParams ) {
const urlParamNames = Object.keys( urlParams );
const commonParamNames = urlParamNames.filter(
( name ) => name in bodyParams );
expect( commonParamNames ).to.be.empty;

const unexpectedUrlParamNames = urlParamNames.filter(
( name ) => name !== 'action' && name !== 'origin' );
( name ) => name !== 'action' && name !== 'origin' && name !== 'crossorigin' );
expect( unexpectedUrlParamNames ).to.be.empty;

expect( bodyParams ).not.to.have.keys( 'action' );
expect( bodyParams ).not.to.have.keys( 'origin' );
expect( bodyParams ).not.to.have.keys( 'crossorigin' );
}

/**
Expand Down

0 comments on commit b3baec3

Please sign in to comment.