dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d24732b) | patch
(bug 39180) Set x-frame-options='DENY' for api
authorcsteipp <csteipp@wikimedia.org>
Fri, 17 Aug 2012 19:20:47 +0000 (12:20 -0700)
committercsteipp <csteipp@wikimedia.org>
Fri, 17 Aug 2012 19:20:47 +0000 (12:20 -0700)
commit32b99b11c9e71579b2bdabacb687472f9c81aae5
tree86ab8151adbce4bb7f6d4581116a9caffdecc6c9tree | snapshot
parentd24732b07a87791565bd524c8b8e3aaabfdb61dccommit | diff
(bug 39180) Set x-frame-options='DENY' for api

By default, set the x-frame-options header for api result pages
to 'DENY'. This is to prevent an attacker from iframing an api
page that includes tokens and stealing them from a user, for example
with a fake captcha prompt.

The global $wgApiFrameOptions is used for the value, or can be set
to false to disable setting the header.

Change-Id: I498f874d7f6c180ec4f3abfc81f773c0fa0f421d
includes/DefaultSettings.php diff | blob | history
includes/api/ApiFormatBase.php diff | blob | history
Wiklou, le Wiki du Wiklou