From d94e6411a5f7a0cb6f3ef2c67a4867dc3828cb7d Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Wed, 22 Oct 2014 22:49:54 -0300 Subject: [PATCH] Respect $wgApiFrameOptions in formatted API output mode This restores the pre- d25cb992 behaviour. Apparently UploadWizard's flickr module relies on this (Which seems rather wrong, but regardless I still think api handling of $wgApiFrameOptions should extend to the "fm" modes.) Note: If $wgBreakFrames is true, then frames will still be broken. Although this is a change from prior behaviour, it makes sense to me that $wgBreakFrames would not allow the human readable output of the API be frammed. Bug: 72340 Change-Id: Ia61a4698f7044acfcd7339207590d9333f4100cb --- includes/DefaultSettings.php | 1 + includes/api/ApiFormatBase.php | 3 +++ 2 files changed, 4 insertions(+) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index af36a64d17..d45e5730c7 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3079,6 +3079,7 @@ $wgEditPageFrameOptions = 'DENY'; * - 'DENY': Do not allow framing. This is recommended for most wikis. * - 'SAMEORIGIN': Allow framing by pages on the same domain. * - false: Allow all framing. + * Note: $wgBreakFrames will override this for human formatted API output. */ $wgApiFrameOptions = 'DENY'; diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index f0037bb291..62705ef93d 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -178,6 +178,9 @@ abstract class ApiFormatBase extends ApiBase { ); } + // API handles its own clickjacking protection. + // Note, that $wgBreakFrames will still override $wgApiFrameOptions for format mode. + $out->allowClickJacking(); $out->output(); } else { // For non-HTML output, clear all errors that might have been -- 2.20.1