*/
$wgEditPageFrameOptions = 'DENY';
+/**
+ * Disallow framing of API pages directly, by setting the X-Frame-Options
+ * header. Since the API returns CSRF tokens, allowing the results to be
+ * framed can compromise your user's account security.
+ * Options are:
+ * - 'DENY': Do not allow framing. This is recommended for most wikis.
+ * - 'SAMEORIGIN': Allow framing by pages on the same domain.
+ * - false: Allow all framing.
+ */
+
+$wgApiFrameOptions = 'DENY';
+
/**
* Disable output compression (enabled by default if zlib is available)
*/
$this->getMain()->getRequest()->response()->header( "Content-Type: $mime; charset=utf-8" );
+ //Set X-Frame-Options API results (bug 39180)
+ global $wgApiFrameOptions;
+ if ( $wgApiFrameOptions ) {
+ $this->getMain()->getRequest()->response()->header( "X-Frame-Options: $wgApiFrameOptions" );
+ }
+
if ( $isHtml ) {
?>
<!DOCTYPE HTML>