From d5513c90cd0713b9acbd8fdccc8d59d6f010d5d2 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Mon, 30 Sep 2013 11:04:45 -0700
Subject: [PATCH] Add Vary: X-Forwarded-Proto for https redirects

From mark's comments on https://gerrit.wikimedia.org/r/#/c/86268/, we
should be setting Vary: X-Forwarded-Proto when the response varies on
the protocol, which is the case for redirects from http->https.

Change-Id: Ie6dc9da4e804199b99e3a7abbea7775a181801a0
---
 includes/Wiki.php                      | 2 ++
 includes/specials/SpecialUserlogin.php | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/includes/Wiki.php b/includes/Wiki.php
index 0683d7c9f9..b3bcf33a5d 100644
--- a/includes/Wiki.php
+++ b/includes/Wiki.php
@@ -539,6 +539,8 @@ class MediaWiki {
 			$title = Title::newFromText( NS_MAIN, 'REDIR' );
 			$this->context->setTitle( $title );
 			$output = $this->context->getOutput();
+			// Since we only do this redir to change proto, always send a vary header
+			$output->addVaryHeader( 'X-Forwarded-Proto' );
 			$output->redirect( $redirUrl );
 			$output->output();
 			wfProfileOut( __METHOD__ );
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index a68efc40b6..9429f10472 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -178,6 +178,8 @@ class LoginForm extends SpecialPage {
 			if ( $wgSecureLogin && wfCanIPUseHTTPS( $this->getRequest()->getIP() ) ) {
 				$url = wfAppendQuery( $url, 'fromhttp=1' );
 				$this->getOutput()->redirect( $url );
+				// Since we only do this redir to change proto, always vary
+				$this->getOutput()->addVaryHeader( 'X-Forwarded-Proto' );
 				return;
 			} else {
 				// A wiki without HTTPS login support should set $wgServer to
-- 
2.20.1