2011/1/9 Roan Kattouw roan.kattouw@gmail.com:
2011/1/9 Jérémie Roquet arkanosis@gmail.com:
- It would be very nice to have CORS enabled across the Wiki[mp]edia subdomains (I see it has been mentioned by Brion in the `JavaScript access to uploaded file contents' thread [3][4] for upload.wikimedia.org) => is it something that can be done / discussed?
This has been discussed in a few contexts now, and we all seem to agree that this is a good idea and should definitely be enabled. I'd propose doing this after we deploy 1.17wmf1 and stuff has calmed down a bit (it's not uncommon for things to break after a major deployment).
Hi Roan. It's great if there's no major opposition to it :)
I looks like the code for this is already there [5], maybe I should open a new bug right now?
Would be nice to track it in BZ, yes.
Will do so and give the link there. Thanks!
2011/1/9 Aryeh Gregor Simetrical+wikilist@gmail.com:
I don't see any detailed documentation for X-Frame-Options anywhere. It looks like IE8 made it up with no detailed spec and other browsers copied the general idea still with no detailed spec. So I don't know, sorry.
No worries :) Thanks again.
2011/1/9 Ilmari Karonen nospam@vyznev.net:
Both of them use a trick with an iframe to allow javascript requests across the wikipedia.org subdomains (something that is not possible using AJAX).
Use JSONP. The MediaWiki API supports it through the "callback" parameter.
Hi Ilmari, great idea! It's not as powerful as the iframe hack was (since it's limited to the api), but I think it's enough for me to release a quick fix for iKiwi (not for xmsg, unfortunately, because userinfo is not accessible that way). I didn't know about the callback parameter, so you just saved my business ;-) Thanks a lot!
2011/1/10 Tim Starling tstarling@wikimedia.org:
On 10/01/11 01:23, Jérémie Roquet wrote:
- Taking the document.domain trick into account ⇒ would setting
X-Frame-Options to SAMEORIGIN instead of DENY allow frames between /sub/domains?
No, SAMEORIGIN does not allow framing from say en.wikipedia.org to fr.wikipedia.org. It only allows framing within the exact same domain. http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjac...
Hi Tim, thanks for the link and the explanations!