Use WebRequest instead of $_SERVER in ApiMain.

Change-Id: I964534089e85ec1e9ccf567efa66b05a1a3a7462

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 05f6652..341df24 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -422,15 +422,22 @@ class ApiMain extends ApiBase {
         */
        protected function handleCORS() {
                global $wgCrossSiteAJAXdomains, $wgCrossSiteAJAXdomainExceptions;
-               $response = $this->getRequest()->response();
+
                $originParam = $this->getParameter( 'origin' ); // defaults to null
                if ( $originParam === null ) {
                        // No origin parameter, nothing to do
                        return true;
                }
+
+               $request = $this->getRequest();
+               $response = $request->response();
                // Origin: header is a space-separated list of origins, check all of them
-               $originHeader = isset( $_SERVER['HTTP_ORIGIN'] ) ? $_SERVER['HTTP_ORIGIN'] : '';
-               $origins = explode( ' ', $originHeader );
+               $originHeader = $request->getHeader( 'Origin' );
+               if ( $originHeader === false ) {
+                       $origins = array();
+               } else {
+                       $origins = explode( ' ', $originHeader );
+               }
                if ( !in_array( $originParam, $origins ) ) {
                        // origin parameter set but incorrect
                        // Send a 403 response