Merge "Avoid DBPerformance warnings on PURGE/TRACE requests"

diff --combined includes/api/ApiMain.php
index 7f9b98b,93a5b60..ce9587f
--- 1/includes/api/ApiMain.php
--- 2/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@@ -148,9 -148,6 +148,9 @@@ class ApiMain extends ApiBase 
        private $mCacheControl = [];
        private $mParamsUsed = [];
  
 +      /** @var bool|null Cached return value from self::lacksSameOriginSecurity() */
 +      private $lacksSameOriginSecurity = null;
 +
        /**
         * Constructs an instance of ApiMain that utilizes the module and format specified by $request.
         *
@@@ -248,35 -245,6 +248,35 @@@
                return $this->mResult;
        }
  
 +      /**
 +       * Get the security flag for the current request
 +       * @return bool
 +       */
 +      public function lacksSameOriginSecurity() {
 +              if ( $this->lacksSameOriginSecurity !== null ) {
 +                      return $this->lacksSameOriginSecurity;
 +              }
 +
 +              $request = $this->getRequest();
 +
 +              // JSONP mode
 +              if ( $request->getVal( 'callback' ) !== null ) {
 +                      $this->lacksSameOriginSecurity = true;
 +                      return true;
 +              }
 +
 +              // Header to be used from XMLHTTPRequest when the request might
 +              // otherwise be used for XSS.
 +              if ( $request->getHeader( 'Treat-as-Untrusted' ) !== false ) {
 +                      $this->lacksSameOriginSecurity = true;
 +                      return true;
 +              }
 +
 +              // Allow extensions to override.
 +              $this->lacksSameOriginSecurity = !Hooks::run( 'RequestHasSameOriginSecurity', [ $request ] );
 +              return $this->lacksSameOriginSecurity;
 +      }
 +
        /**
         * Get the ApiErrorFormatter object associated with current request
         * @return ApiErrorFormatter
@@@ -471,8 -439,7 +471,8 @@@
                        $this->logRequest( $runTime );
                        if ( $this->mModule->isWriteMode() && $this->getRequest()->wasPosted() ) {
                                $this->getStats()->timing(
 -                                      'api.' . $this->getModuleName() . '.executeTiming', 1000 * $runTime );
 +                                      'api.' . $this->mModule->getModuleName() . '.executeTiming', 1000 * $runTime
 +                              );
                        }
                } catch ( Exception $e ) {
                        $this->handleException( $e );
@@@ -763,8 -730,6 +763,8 @@@
                $response = $this->getRequest()->response();
                $out = $this->getOutput();
  
 +              $out->addVaryHeader( 'Treat-as-Untrusted' );
 +
                $config = $this->getConfig();
  
                if ( $config->get( 'VaryOnXFP' ) ) {
@@@ -1391,15 -1356,13 +1391,13 @@@
        protected function setRequestExpectations( ApiBase $module ) {
                $limits = $this->getConfig()->get( 'TrxProfilerLimits' );
                $trxProfiler = Profiler::instance()->getTransactionProfiler();
-               if ( $this->getRequest()->wasPosted() ) {
-                       if ( $module->isWriteMode() ) {
-                               $trxProfiler->setExpectations( $limits['POST'], __METHOD__ );
-                       } else {
-                               $trxProfiler->setExpectations( $limits['POST-nonwrite'], __METHOD__ );
-                               $this->getRequest()->markAsSafeRequest();
-                       }
-               } else {
+               if ( $this->getRequest()->hasSafeMethod() ) {
                        $trxProfiler->setExpectations( $limits['GET'], __METHOD__ );
+               } elseif ( $this->getRequest()->wasPosted() && !$module->isWriteMode() ) {
+                       $trxProfiler->setExpectations( $limits['POST-nonwrite'], __METHOD__ );
+                       $this->getRequest()->markAsSafeRequest();
+               } else {
+                       $trxProfiler->setExpectations( $limits['POST'], __METHOD__ );
                }
        }