diff options
Diffstat (limited to 'includes/OutputPage.php')
-rw-r--r-- | includes/OutputPage.php | 63 |
1 files changed, 52 insertions, 11 deletions
diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 7f0454f6..e6d4339f 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -151,9 +151,11 @@ class OutputPage extends ContextSource { var $mFeedLinksAppendQuery = null; - # What level of 'untrustworthiness' is allowed in CSS/JS modules loaded on this page? - # @see ResourceLoaderModule::$origin - # ResourceLoaderModule::ORIGIN_ALL is assumed unless overridden; + /** @var array + * What level of 'untrustworthiness' is allowed in CSS/JS modules loaded on this page? + * @see ResourceLoaderModule::$origin + * ResourceLoaderModule::ORIGIN_ALL is assumed unless overridden; + */ protected $mAllowedModules = array( ResourceLoaderModule::TYPE_COMBINED => ResourceLoaderModule::ORIGIN_ALL, ); @@ -1273,12 +1275,29 @@ class OutputPage extends ContextSource { /** * Do not allow scripts which can be modified by wiki users to load on this page; * only allow scripts bundled with, or generated by, the software. + * Site-wide styles are controlled by a config setting, since they can be + * used to create a custom skin/theme, but not user-specific ones. + * + * @todo this should be given a more accurate name */ public function disallowUserJs() { + global $wgAllowSiteCSSOnRestrictedPages; $this->reduceAllowedModules( ResourceLoaderModule::TYPE_SCRIPTS, ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL ); + + // Site-wide styles are controlled by a config setting, see bug 71621 + // for background on why. User styles are never allowed. + if ( $wgAllowSiteCSSOnRestrictedPages ) { + $styleOrigin = ResourceLoaderModule::ORIGIN_USER_SITEWIDE; + } else { + $styleOrigin = ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL; + } + $this->reduceAllowedModules( + ResourceLoaderModule::TYPE_STYLES, + $styleOrigin + ); } /** @@ -1293,10 +1312,11 @@ class OutputPage extends ContextSource { } /** - * Show what level of JavaScript / CSS untrustworthiness is allowed on this page + * Get the level of JavaScript / CSS untrustworthiness allowed on this page. + * * @see ResourceLoaderModule::$origin * @param string $type ResourceLoaderModule TYPE_ constant - * @return Int ResourceLoaderModule ORIGIN_ class constant + * @return int ResourceLoaderModule ORIGIN_ class constant */ public function getAllowedModules( $type ) { if ( $type == ResourceLoaderModule::TYPE_COMBINED ) { @@ -1310,17 +1330,26 @@ class OutputPage extends ContextSource { /** * Set the highest level of CSS/JS untrustworthiness allowed - * @param $type String ResourceLoaderModule TYPE_ constant - * @param $level Int ResourceLoaderModule class constant + * + * @deprecated since 1.24 Raising level of allowed untrusted content is no longer supported. + * Use reduceAllowedModules() instead + * + * @param string $type ResourceLoaderModule TYPE_ constant + * @param int $level ResourceLoaderModule class constant */ public function setAllowedModules( $type, $level ) { - $this->mAllowedModules[$type] = $level; + wfDeprecated( __METHOD__, '1.24' ); + $this->reduceAllowedModules( $type, $level ); } /** - * As for setAllowedModules(), but don't inadvertently make the page more accessible - * @param $type String - * @param $level Int ResourceLoaderModule class constant + * Limit the highest level of CSS/JS untrustworthiness allowed. + * + * If passed the same or a higher level than the current level of untrustworthiness set, the + * level will remain unchanged. + * + * @param string $type + * @param int $level ResourceLoaderModule class constant */ public function reduceAllowedModules( $type, $level ) { $this->mAllowedModules[$type] = min( $this->getAllowedModules( $type ), $level ); @@ -1574,6 +1603,8 @@ class OutputPage extends ContextSource { $this->addModuleScripts( $parserOutput->getModuleScripts() ); $this->addModuleStyles( $parserOutput->getModuleStyles() ); $this->addModuleMessages( $parserOutput->getModuleMessages() ); + $this->mPreventClickjacking = $this->mPreventClickjacking + || $parserOutput->preventClickjacking(); // Template versioning... foreach ( (array)$parserOutput->getTemplateIds() as $ns => $dbks ) { @@ -1874,6 +1905,16 @@ class OutputPage extends ContextSource { } /** + * Get the prevent-clickjacking flag + * + * @since 1.24 + * @return boolean + */ + public function getPreventClickjacking() { + return $this->mPreventClickjacking; + } + + /** * Get the X-Frame-Options header value (without the name part), or false * if there isn't one. This is used by Skin to determine whether to enable * JavaScript frame-breaking, for clients that don't support X-Frame-Options. |