1 files changed, 35 insertions, 0 deletions

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index d943c86b..1f0aebb6 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -145,6 +145,9 @@ class ApiMain extends ApiBase {
 	private $mCacheControl = array();
 	private $mParamsUsed = array();
 
+	/** @var bool|null Cached return value from self::lacksSameOriginSecurity() */
+	private $lacksSameOriginSecurity = null;
+
 	/**
 	 * Constructs an instance of ApiMain that utilizes the module and format specified by $request.
 	 *
@@ -243,6 +246,36 @@ class ApiMain extends ApiBase {
 	}
 
 	/**
+	 * Get the security flag for the current request
+	 * @return bool
+	 */
+	public function lacksSameOriginSecurity() {
+		if ( $this->lacksSameOriginSecurity !== null ) {
+			return $this->lacksSameOriginSecurity;
+		}
+
+		$request = $this->getRequest();
+
+		// JSONP mode
+		if ( $request->getVal( 'callback' ) !== null ) {
+			$this->lacksSameOriginSecurity = true;
+			return true;
+		}
+
+		// Header to be used from XMLHTTPRequest when the request might
+		// otherwise be used for XSS.
+		if ( $request->getHeader( 'Treat-as-Untrusted' ) !== false ) {
+			$this->lacksSameOriginSecurity = true;
+			return true;
+		}
+
+		// Allow extensions to override.
+		$this->lacksSameOriginSecurity = !Hooks::run( 'RequestHasSameOriginSecurity', array( $request ) );
+		return $this->lacksSameOriginSecurity;
+	}
+
+
+	/**
 	 * Get the ApiErrorFormatter object associated with current request
 	 * @return ApiErrorFormatter
 	 */
@@ -717,6 +750,8 @@ class ApiMain extends ApiBase {
 		$response = $this->getRequest()->response();
 		$out = $this->getOutput();
 
+		$out->addVaryHeader( 'Treat-as-Untrusted' );
+
 		$config = $this->getConfig();
 
 		if ( $config->get( 'VaryOnXFP' ) ) {