Add Timing-Allow-Origin header for cross-domain API responses

This makes it possible to get detailed network timing information
via ResourceTiming.

Change-Id: Ie88d4354285420014c0f1612446ba94fc2a8c68f

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 82ed295..9a98054 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -554,6 +554,7 @@ class ApiMain extends ApiBase {
 
                        $response->header( "Access-Control-Allow-Origin: $originHeader" );
                        $response->header( 'Access-Control-Allow-Credentials: true' );
+                       $response->header( "Timing-Allow-Origin: $originHeader" ); # http://www.w3.org/TR/resource-timing/#timing-allow-origin
 
                        if ( !$preflight ) {
                                $response->header( 'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag' );