Hello everyone, happy new year.
Following #26561 [1] and the MediaWiki security release 1.16.1 [2],
some cross-wiki userscripts of mine do not work anymore.
Namely, these scripts are:
- iKiwi [3] which is used to retrieve all interwikis of a local
article from another wiki and is extensively used by the French
interwikification project [4];
- xmsg [5] which is used to check new messages on other wikis when
login on (and I'm probably the only person to use).
Both of them use a trick with an iframe to allow javascript requests
across the
wikipedia.org subdomains (something that is not possible
using AJAX).
So, my question are:
- Does anybody know if having X-Frame-Options set to SAMEORIGIN would
allow such tricks while still preventing clickjacking attacks from
other domains (the actual question is: `would it work'?)
- If so, is there any reason to use DENY instead of SAMEORIGIN, ie.
is there any pragmatic reason to forbid frames from the very same
domain (wikipedia.org)?
Any other idea on how to make such tools work again would of course be
highly appreciated.
Thanks in advance,
[1]
https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
[2]
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-January/000093…
[3]
http://en.wikipedia.org/wiki/User:Arkanosis/iKiwi.js
[4]
http://fr.wikipedia.org/wiki/Projet:Interwikification
[5]
http://fr.wikipedia.org/wiki/User:Arkanosis/xmsg.js
--
Jérémie