By default, set the x-frame-options header for api result pages
to 'DENY'. This is to prevent an attacker from iframing an api
page that includes tokens and stealing them from a user, for example
with a fake captcha prompt.
The global $wgApiFrameOptions is used for the value, or can be set
to false to disable setting the header.
Change-Id: I498f874d7f6c180ec4f3abfc81f773c0fa0f421d
*/
$wgEditPageFrameOptions = 'DENY';
+/**
+ * Disallow framing of API pages directly, by setting the X-Frame-Options
+ * header. Since the API returns CSRF tokens, allowing the results to be
+ * framed can compromise your user's account security.
+ * Options are:
+ * - 'DENY': Do not allow framing. This is recommended for most wikis.
+ * - 'SAMEORIGIN': Allow framing by pages on the same domain.
+ * - false: Allow all framing.
+ */
+
+$wgApiFrameOptions = 'DENY';
+
/**
* Disable output compression (enabled by default if zlib is available)
*/
$this->getMain()->getRequest()->response()->header( "Content-Type: $mime; charset=utf-8" );
+ //Set X-Frame-Options API results (bug 39180)
+ global $wgApiFrameOptions;
+ if ( $wgApiFrameOptions ) {
+ $this->getMain()->getRequest()->response()->header( "X-Frame-Options: $wgApiFrameOptions" );
+ }
+
if ( $isHtml ) {
?>
<!DOCTYPE HTML>