Hello everyone, happy new year.
Following #26561 [1] and the MediaWiki security release 1.16.1 [2], some cross-wiki userscripts of mine do not work anymore.
Namely, these scripts are: - iKiwi [3] which is used to retrieve all interwikis of a local article from another wiki and is extensively used by the French interwikification project [4]; - xmsg [5] which is used to check new messages on other wikis when login on (and I'm probably the only person to use).
Both of them use a trick with an iframe to allow javascript requests across the wikipedia.org subdomains (something that is not possible using AJAX).
So, my question are: - Does anybody know if having X-Frame-Options set to SAMEORIGIN would allow such tricks while still preventing clickjacking attacks from other domains (the actual question is: `would it work'?) - If so, is there any reason to use DENY instead of SAMEORIGIN, ie. is there any pragmatic reason to forbid frames from the very same domain (wikipedia.org)?
Any other idea on how to make such tools work again would of course be highly appreciated.
Thanks in advance,
[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=26561 [2] http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-January/000093.... [3] http://en.wikipedia.org/wiki/User:Arkanosis/iKiwi.js [4] http://fr.wikipedia.org/wiki/Projet:Interwikification [5] http://fr.wikipedia.org/wiki/User:Arkanosis/xmsg.js