X-Frame-Options header

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

X-Frame-Options header

Chris Steipp
Hi, I wanted to call attention on this list to a small change [1] in
the api that we just released as part of a security update [2]. We
previously had not set X-Frame-Option headers on the result of api
queries. This could leave a site open to a variety of UI redressing
attacks, so the WMF sites now set the X-Frame-Option: header to 'DENY'
on API results. This will also be the default configuration for new
downloads.

If you need to show the result of an API query in an iframe, you can
set the $wgApiFrameOptions = false to disable the header. However, I
would encourage everyone to keep the header, as it will help prevent
this type of attack.


[1] - https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
[2] - http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

[Mediawiki-api-announce] Fwd: X-Frame-Options header

Roan Kattouw-2
Forwarding to the announcements list. This also causes this to re-post
to the mediawiki-api list, sorry about that.

Roan


---------- Forwarded message ----------
From: Chris Steipp <[hidden email]>
Date: Thu, Aug 30, 2012 at 10:47 PM
Subject: [Mediawiki-api] X-Frame-Options header
To: [hidden email]


Hi, I wanted to call attention on this list to a small change [1] in
the api that we just released as part of a security update [2]. We
previously had not set X-Frame-Option headers on the result of api
queries. This could leave a site open to a variety of UI redressing
attacks, so the WMF sites now set the X-Frame-Option: header to 'DENY'
on API results. This will also be the default configuration for new
downloads.

If you need to show the result of an API query in an iframe, you can
set the $wgApiFrameOptions = false to disable the header. However, I
would encourage everyone to keep the header, as it will help prevent
this type of attack.


[1] - https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
[2] - http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

_______________________________________________
Mediawiki-api-announce mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api