(bug 39180) Set x-frame-options='DENY' for api

By default, set the x-frame-options header for api result pages
to 'DENY'. This is to prevent an attacker from iframing an api
page that includes tokens and stealing them from a user, for example
with a fake captcha prompt.

The global $wgApiFrameOptions is used for the value, or can be set
to false to disable setting the header.

Change-Id: I498f874d7f6c180ec4f3abfc81f773c0fa0f421d

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index a6244ed..acbcd0a 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2620,6 +2620,18 @@ $wgBreakFrames = false;
  */
 $wgEditPageFrameOptions = 'DENY';
 
+/**
+ * Disallow framing of API pages directly, by setting the X-Frame-Options
+ * header. Since the API returns CSRF tokens, allowing the results to be
+ * framed can compromise your user's account security.
+ * Options are:
+ *   - 'DENY': Do not allow framing. This is recommended for most wikis.
+ *   - 'SAMEORIGIN': Allow framing by pages on the same domain.
+ *   - false: Allow all framing.
+ */
+
+$wgApiFrameOptions = 'DENY';
+
 /**
  * Disable output compression (enabled by default if zlib is available)
  */

diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index a8d69f5..54c90a6 100644 (file)
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -143,6 +143,12 @@ abstract class ApiFormatBase extends ApiBase {
 
                $this->getMain()->getRequest()->response()->header( "Content-Type: $mime; charset=utf-8" );
 
+               //Set X-Frame-Options API results (bug 39180)
+               global $wgApiFrameOptions;
+               if ( $wgApiFrameOptions ) {
+                       $this->getMain()->getRequest()->response()->header( "X-Frame-Options: $wgApiFrameOptions" );
+               }
+
                if ( $isHtml ) {
 ?>
 <!DOCTYPE HTML>