Forwarding to the announcements list. This also causes this to re-post to the mediawiki-api list, sorry about that.

Roan

---------- Forwarded message ---------- From: Chris Steipp csteipp@wikimedia.org Date: Thu, Aug 30, 2012 at 10:47 PM Subject: [Mediawiki-api] X-Frame-Options header To: mediawiki-api@lists.wikimedia.org

Hi, I wanted to call attention on this list to a small change [1] in the api that we just released as part of a security update [2]. We previously had not set X-Frame-Option headers on the result of api queries. This could leave a site open to a variety of UI redressing attacks, so the WMF sites now set the X-Frame-Option: header to 'DENY' on API results. This will also be the default configuration for new downloads.

If you need to show the result of an API query in an iframe, you can set the $wgApiFrameOptions = false to disable the header. However, I would encourage everyone to keep the header, as it will help prevent this type of attack.

[1] - https://bugzilla.wikimedia.org/show_bug.cgi?id=39180 [2] - http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.h...

_______________________________________________ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

_______________________________________________ Mediawiki-api-announce mailing list Mediawiki-api-announce@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce