From: csteipp <csteipp@wikimedia.org>
Date: Mon, 30 Sep 2013 18:04:45 +0000 (-0700)
Subject: Add Vary: X-Forwarded-Proto for https redirects
X-Git-Tag: 1.31.0-rc.0~18637^2
X-Git-Url: http://git.cyclocoop.org/%7B%24admin_url%7Dmembres/cotisations/gestion/rappel_supprimer.php?a=commitdiff_plain;h=d5513c90cd0713b9acbd8fdccc8d59d6f010d5d2;p=lhc%2Fweb%2Fwiklou.git

Add Vary: X-Forwarded-Proto for https redirects

From mark's comments on https://gerrit.wikimedia.org/r/#/c/86268/, we
should be setting Vary: X-Forwarded-Proto when the response varies on
the protocol, which is the case for redirects from http->https.

Change-Id: Ie6dc9da4e804199b99e3a7abbea7775a181801a0
---

diff --git a/includes/Wiki.php b/includes/Wiki.php
index 0683d7c9f9..b3bcf33a5d 100644
--- a/includes/Wiki.php
+++ b/includes/Wiki.php
@@ -539,6 +539,8 @@ class MediaWiki {
 			$title = Title::newFromText( NS_MAIN, 'REDIR' );
 			$this->context->setTitle( $title );
 			$output = $this->context->getOutput();
+			// Since we only do this redir to change proto, always send a vary header
+			$output->addVaryHeader( 'X-Forwarded-Proto' );
 			$output->redirect( $redirUrl );
 			$output->output();
 			wfProfileOut( __METHOD__ );
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index a68efc40b6..9429f10472 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -178,6 +178,8 @@ class LoginForm extends SpecialPage {
 			if ( $wgSecureLogin && wfCanIPUseHTTPS( $this->getRequest()->getIP() ) ) {
 				$url = wfAppendQuery( $url, 'fromhttp=1' );
 				$this->getOutput()->redirect( $url );
+				// Since we only do this redir to change proto, always vary
+				$this->getOutput()->addVaryHeader( 'X-Forwarded-Proto' );
 				return;
 			} else {
 				// A wiki without HTTPS login support should set $wgServer to