Hi Aryeh, thanks for answering!
2011/1/9 Aryeh Gregor Simetrical+wikilist@gmail.com:
2011/1/8 Jérémie Roquet arkanosis@gmail.com:
Both of them use a trick with an iframe to allow javascript requests across the wikipedia.org subdomains (something that is not possible using AJAX).
It would be possible if we started using CORS, at least in recent enough browsers.
It would be awesome to have this enabled to allow AJAX requests across all the Wikimedia projects. I mean, not only it would allow to make my tools work again without the iframe hack, but I have many other ideas of really cool new tools that could be built upon CORS (including interactions between Wikipedia and Wikimedia Commons, which I could not achieve with the iframe trick).
Sure, it wouldn't work in as many browsers as the iframe trick did, but I really prefer something that requires a modern browser to work to something that requires an old one ;-)
- Does anybody know if having X-Frame-Options set to SAMEORIGIN would allow such tricks while still preventing clickjacking attacks from other domains (the actual question is: `would it work'?)
en.wikipedia.org is not the same origin as fr.wikipedia.org.
True, but it appears that setting document.domain to the same value for both subdomains (ie. 'wikipedia.org') is enough to have the same origin. [1] That's what I was already doing for iKiwi and xmsg to work, because without this, most browsers already enforce the same origin policy for DOM manipulations inside (i)frames. With it, it works fine, even with the NoScript addon.
Any other idea on how to make such tools work again would of course be highly appreciated.
I'm not very knowledgeable in this sort of thing, I'm afraid. HTML5's postMessage() might be useful.
Thanks for the tip, I never heard about this before. However, reading the description at MDN [2], I'm afraid it doesn't address the current issue at all because it requires two windows to communicate together (which is exactly what X-Frame-Options forbids). That would have allowed to make cross-domain requests (eg. between Wikipedia and Wikimedia Commons), but with X-Frame-Options I'm afraid it's just as useless as the iframe hack.
That said, my questions now are: - It would be very nice to have CORS enabled across the Wiki[mp]edia subdomains (I see it has been mentioned by Brion in the `JavaScript access to uploaded file contents' thread [3][4] for upload.wikimedia.org) ⇒ is it something that can be done / discussed? I looks like the code for this is already there [5], maybe I should open a new bug right now? - Taking the document.domain trick into account ⇒ would setting X-Frame-Options to SAMEORIGIN instead of DENY allow frames between /sub/domains?
Thanks again! Best regards,
[1] http://en.wikipedia.org/wiki/Same_origin_policy#Additional_document.domain_l... [2] https://developer.mozilla.org/en/dom/window.postmessage [3] http://lists.wikimedia.org/pipermail/wikitech-l/2011-January/050972.html [4] https://bugzilla.wikimedia.org/show_bug.cgi?id=25886 [5] https://bugzilla.wikimedia.org/show_bug.cgi?id=19907