Merge branch 'archwiki' into lukeshu/masterHEADproductionmaster

1 files changed, 27 insertions, 0 deletions

diff --git a/tests/phpunit/includes/api/ApiMainTest.php b/tests/phpunit/includes/api/ApiMainTest.php
index 94b741dc..a2bc7aed 100644
--- a/tests/phpunit/includes/api/ApiMainTest.php
+++ b/tests/phpunit/includes/api/ApiMainTest.php
@@ -248,4 +248,31 @@ class ApiMainTest extends ApiTestCase {
 		);
 	}
 
+	/**
+	 * @covers ApiMain::lacksSameOriginSecurity
+	 */
+	public function testLacksSameOriginSecurity() {
+		// Basic test
+		$main = new ApiMain( new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ) );
+		$this->assertFalse( $main->lacksSameOriginSecurity(), 'Basic test, should have security' );
+
+		// JSONp
+		$main = new ApiMain(
+			new FauxRequest( array( 'action' => 'query', 'format' => 'xml', 'callback' => 'foo'  ) )
+		);
+		$this->assertTrue( $main->lacksSameOriginSecurity(), 'JSONp, should lack security' );
+
+		// Header
+		$request = new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) );
+		$request->setHeader( 'TrEaT-As-UnTrUsTeD', '' ); // With falsey value!
+		$main = new ApiMain( $request );
+		$this->assertTrue( $main->lacksSameOriginSecurity(), 'Header supplied, should lack security' );
+
+		// Hook
+		$this->mergeMwGlobalArrayValue( 'wgHooks', array(
+			'RequestHasSameOriginSecurity' => array( function () { return false; } )
+		) );
+		$main = new ApiMain( new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ) );
+		$this->assertTrue( $main->lacksSameOriginSecurity(), 'Hook, should lack security' );
+	}
 }