Merge "Remove $wgHttpOnlyBlacklist"

diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 340aa50..9633edd 100644 (file)
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -50,6 +50,7 @@ production.
   prepended to the start of this array.
 * $wgQueryPages has been removed. Query Pages should be added to by using the
   wgQueryPages hook.
+* $wgHttpOnlyBlacklist has been removed.
 
 === New features in 1.23 ===
 * ResourceLoader can utilize the Web Storage API to cache modules client-side.

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 71851d5..612acb9 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -4870,17 +4870,6 @@ $wgCookiePrefix = false;
  */
 $wgCookieHttpOnly = true;
 
-/**
- * If the requesting browser matches a regex in this blacklist, we won't
- * send it cookies with HttpOnly mode, even if $wgCookieHttpOnly is on.
- */
-$wgHttpOnlyBlacklist = array(
-       // Internet Explorer for Mac; sometimes the cookies work, sometimes
-       // they don't. It's difficult to predict, as combinations of path
-       // and expiration options affect its parsing.
-       '/^Mozilla\/4\.0 \(compatible; MSIE \d+\.\d+; Mac_PowerPC\)/',
-);
-
 /**
  * A list of cookies that vary the cache (for use by extensions)
  */

diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 0e95ef7..f0b0a8d 100644 (file)
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3441,23 +3441,6 @@ function wfBaseConvert( $input, $sourceBase, $destBase, $pad = 1,
        return str_pad( $result, $pad, '0', STR_PAD_LEFT );
 }
 
-/**
- * @return bool
- */
-function wfHttpOnlySafe() {
-       global $wgHttpOnlyBlacklist;
-
-       if ( isset( $_SERVER['HTTP_USER_AGENT'] ) ) {
-               foreach ( $wgHttpOnlyBlacklist as $regex ) {
-                       if ( preg_match( $regex, $_SERVER['HTTP_USER_AGENT'] ) ) {
-                               return false;
-                       }
-               }
-       }
-
-       return true;
-}
-
 /**
  * Check if there is sufficient entropy in php's built-in session generation
  * @return bool true = there is sufficient entropy
@@ -3530,7 +3513,6 @@ function wfSetupSession( $sessionId = false ) {
                # hasn't already been set to the desired value (that causes errors)
                ini_set( 'session.save_handler', $wgSessionHandler );
        }
-       $httpOnlySafe = wfHttpOnlySafe() && $wgCookieHttpOnly;
        wfDebugLog( 'cookie',
                'session_set_cookie_params: "' . implode( '", "',
                        array(
@@ -3538,8 +3520,9 @@ function wfSetupSession( $sessionId = false ) {
                                $wgCookiePath,
                                $wgCookieDomain,
                                $wgCookieSecure,
-                               $httpOnlySafe ) ) . '"' );
-       session_set_cookie_params( 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $httpOnlySafe );
+                               $wgCookieHttpOnly ) ) . '"' );
+       session_set_cookie_params(
+               0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly );
        session_cache_limiter( 'private, must-revalidate' );
        if ( $sessionId ) {
                session_id( $sessionId );

diff --git a/includes/WebResponse.php b/includes/WebResponse.php
index ab7524c..a3dadd0 100644 (file)
--- a/includes/WebResponse.php
+++ b/includes/WebResponse.php
@@ -88,12 +88,6 @@ class WebResponse {
                        $expire = time() + $wgCookieExpiration;
                }
 
-               // Don't mark the cookie as httpOnly if the requesting user-agent is
-               // known to have trouble with httpOnly cookies.
-               if ( !wfHttpOnlySafe() ) {
-                       $options['httpOnly'] = false;
-               }
-
                $func = $options['raw'] ? 'setrawcookie' : 'setcookie';
 
                if ( wfRunHooks( 'WebResponseSetCookie', array( &$name, &$value, &$expire, $options ) ) ) {