Forwarding to the announcements list. This also causes this to re-post
to the mediawiki-api list, sorry about that.
Roan
---------- Forwarded message ----------
From: Chris Steipp <csteipp(a)wikimedia.org>
Date: Thu, Aug 30, 2012 at 10:47 PM
Subject: [Mediawiki-api] X-Frame-Options header
To: mediawiki-api(a)lists.wikimedia.org
Hi, I wanted to call attention on this list to a small change [1] in
the api that we just released as part of a security update [2]. We
previously had not set X-Frame-Option headers on the result of api
queries. This could leave a site open to a variety of UI redressing
attacks, so the WMF sites now set the X-Frame-Option: header to 'DENY'
on API results. This will also be the default configuration for new
downloads.
If you need to show the result of an API query in an iframe, you can
set the $wgApiFrameOptions = false to disable the header. However, I
would encourage everyone to keep the header, as it will help prevent
this type of attack.
[1] - https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
[2] - http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.…
_______________________________________________
Mediawiki-api mailing list
Mediawiki-api(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
The behavior of the ignorewarnings parameter in action=upload was
changed [1] recently. The ignorewarnings parameter causes an upload to
go through even if there were (non-fatal) warnings. Previously, it
also removed the warnings from the API output, but with Mark's recent
change, these warnings will now be shown. Clients that check for
"Success" or "Warning" shouldn't break, but clients that only check
for the <warnings> element to see if an upload failed may start
failing.
This change will be part of the 1.20wmf9 deployment, which will go
live on WMF wikis in stages between August 6 and August 13 [2].
Roan
[1] https://gerrit.wikimedia.org/r/#/c/9261/
[2] https://www.mediawiki.org/wiki/MediaWiki_1.20/Roadmap#Schedule_for_the_depl…