Hi, I wanted to call attention on this list to a small change [1] in the api that we just released as part of a security update [2]. We previously had not set X-Frame-Option headers on the result of api queries. This could leave a site open to a variety of UI redressing attacks, so the WMF sites now set the X-Frame-Option: header to 'DENY' on API results. This will also be the default configuration for new downloads.
If you need to show the result of an API query in an iframe, you can set the $wgApiFrameOptions = false to disable the header. However, I would encourage everyone to keep the header, as it will help prevent this type of attack.
[1] - https://bugzilla.wikimedia.org/show_bug.cgi?id=39180 [2] - http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.h...