From: Brian Wolff Date: Thu, 23 Oct 2014 01:49:54 +0000 (-0300) Subject: Respect $wgApiFrameOptions in formatted API output mode X-Git-Tag: 1.31.0-rc.0~13500^2 X-Git-Url: http://git.cyclocoop.org/%7B%7B%20url_for%28%27admin_vote_del%27%2C%20idvote=vote.voteid%29%20%7D%7D?a=commitdiff_plain;h=d94e6411a5f7a0cb6f3ef2c67a4867dc3828cb7d;p=lhc%2Fweb%2Fwiklou.git Respect $wgApiFrameOptions in formatted API output mode This restores the pre- d25cb992 behaviour. Apparently UploadWizard's flickr module relies on this (Which seems rather wrong, but regardless I still think api handling of $wgApiFrameOptions should extend to the "fm" modes.) Note: If $wgBreakFrames is true, then frames will still be broken. Although this is a change from prior behaviour, it makes sense to me that $wgBreakFrames would not allow the human readable output of the API be frammed. Bug: 72340 Change-Id: Ia61a4698f7044acfcd7339207590d9333f4100cb --- diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index af36a64d17..d45e5730c7 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3079,6 +3079,7 @@ $wgEditPageFrameOptions = 'DENY'; * - 'DENY': Do not allow framing. This is recommended for most wikis. * - 'SAMEORIGIN': Allow framing by pages on the same domain. * - false: Allow all framing. + * Note: $wgBreakFrames will override this for human formatted API output. */ $wgApiFrameOptions = 'DENY'; diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index f0037bb291..62705ef93d 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -178,6 +178,9 @@ abstract class ApiFormatBase extends ApiBase { ); } + // API handles its own clickjacking protection. + // Note, that $wgBreakFrames will still override $wgApiFrameOptions for format mode. + $out->allowClickJacking(); $out->output(); } else { // For non-HTML output, clear all errors that might have been