Merge "(bug 39180) Set x-frame-options='DENY' for api"

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index a24081d..bc04f08 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2628,6 +2628,18 @@ $wgBreakFrames = false;
  */
 $wgEditPageFrameOptions = 'DENY';
 
+/**
+ * Disallow framing of API pages directly, by setting the X-Frame-Options
+ * header. Since the API returns CSRF tokens, allowing the results to be
+ * framed can compromise your user's account security.
+ * Options are:
+ *   - 'DENY': Do not allow framing. This is recommended for most wikis.
+ *   - 'SAMEORIGIN': Allow framing by pages on the same domain.
+ *   - false: Allow all framing.
+ */
+
+$wgApiFrameOptions = 'DENY';
+
 /**
  * Disable output compression (enabled by default if zlib is available)
  */

diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index a8d69f5..54c90a6 100644 (file)
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -143,6 +143,12 @@ abstract class ApiFormatBase extends ApiBase {
 
                $this->getMain()->getRequest()->response()->header( "Content-Type: $mime; charset=utf-8" );
 
+               //Set X-Frame-Options API results (bug 39180)
+               global $wgApiFrameOptions;
+               if ( $wgApiFrameOptions ) {
+                       $this->getMain()->getRequest()->response()->header( "X-Frame-Options: $wgApiFrameOptions" );
+               }
+
                if ( $isHtml ) {
 ?>
 <!DOCTYPE HTML>