From: csteipp Date: Fri, 17 Aug 2012 19:20:47 +0000 (-0700) Subject: (bug 39180) Set x-frame-options='DENY' for api X-Git-Tag: 1.31.0-rc.0~22511^2 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices/?a=commitdiff_plain;h=32b99b11c9e71579b2bdabacb687472f9c81aae5;p=lhc%2Fweb%2Fwiklou.git (bug 39180) Set x-frame-options='DENY' for api By default, set the x-frame-options header for api result pages to 'DENY'. This is to prevent an attacker from iframing an api page that includes tokens and stealing them from a user, for example with a fake captcha prompt. The global $wgApiFrameOptions is used for the value, or can be set to false to disable setting the header. Change-Id: I498f874d7f6c180ec4f3abfc81f773c0fa0f421d --- diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index a6244ed94e..acbcd0a323 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -2620,6 +2620,18 @@ $wgBreakFrames = false; */ $wgEditPageFrameOptions = 'DENY'; +/** + * Disallow framing of API pages directly, by setting the X-Frame-Options + * header. Since the API returns CSRF tokens, allowing the results to be + * framed can compromise your user's account security. + * Options are: + * - 'DENY': Do not allow framing. This is recommended for most wikis. + * - 'SAMEORIGIN': Allow framing by pages on the same domain. + * - false: Allow all framing. + */ + +$wgApiFrameOptions = 'DENY'; + /** * Disable output compression (enabled by default if zlib is available) */ diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index a8d69f5dc9..54c90a6eef 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -143,6 +143,12 @@ abstract class ApiFormatBase extends ApiBase { $this->getMain()->getRequest()->response()->header( "Content-Type: $mime; charset=utf-8" ); + //Set X-Frame-Options API results (bug 39180) + global $wgApiFrameOptions; + if ( $wgApiFrameOptions ) { + $this->getMain()->getRequest()->response()->header( "X-Frame-Options: $wgApiFrameOptions" ); + } + if ( $isHtml ) { ?>