Hi Aryeh, thanks for answering!
2011/1/9 Aryeh Gregor <Simetrical+wikilist(a)gmail.com>om>:
2011/1/8 Jérémie Roquet <arkanosis(a)gmail.com>om>:
Both of them use a trick with an iframe to allow
javascript requests
across the
wikipedia.org subdomains (something that is not possible
using AJAX).
It would be possible if we started using CORS, at least in recent
enough browsers.
It would be awesome to have this enabled to allow AJAX requests across
all the Wikimedia projects.
I mean, not only it would allow to make my tools work again without
the iframe hack, but I have many other ideas of really cool new tools
that could be built upon CORS (including interactions between
Wikipedia and Wikimedia Commons, which I could not achieve with the
iframe trick).
Sure, it wouldn't work in as many browsers as the iframe trick did,
but I really prefer something that requires a modern browser to work
to something that requires an old one ;-)
- Does
anybody know if having X-Frame-Options set to SAMEORIGIN would
allow such tricks while still preventing clickjacking attacks from
other domains (the actual question is: `would it work'?)
en.wikipedia.org is not the same origin as
fr.wikipedia.org.
True, but it appears that setting document.domain to the same value
for both subdomains (ie. 'wikipedia.org') is enough to have the same
origin. [1]
That's what I was already doing for iKiwi and xmsg to work, because
without this, most browsers already enforce the same origin policy for
DOM manipulations inside (i)frames. With it, it works fine, even with
the NoScript addon.
Any other idea
on how to make such tools work again would of course be
highly appreciated.
I'm not very knowledgeable in this sort of thing, I'm afraid. HTML5's
postMessage() might be useful.
Thanks for the tip, I never heard about this before. However, reading
the description at MDN [2], I'm afraid it doesn't address the current
issue at all because it requires two windows to communicate together
(which is exactly what X-Frame-Options forbids).
That would have allowed to make cross-domain requests (eg. between
Wikipedia and Wikimedia Commons), but with X-Frame-Options I'm afraid
it's just as useless as the iframe hack.
That said, my questions now are:
- It would be very nice to have CORS enabled across the Wiki[mp]edia
subdomains (I see it has been mentioned by Brion in the `JavaScript
access to uploaded file contents' thread [3][4] for
upload.wikimedia.org) ⇒ is it something that can be done / discussed?
I looks like the code for this is already there [5], maybe I should
open a new bug right now?
- Taking the document.domain trick into account ⇒ would setting
X-Frame-Options to SAMEORIGIN instead of DENY allow frames between
/sub/domains?
Thanks again! Best regards,
[1]
http://en.wikipedia.org/wiki/Same_origin_policy#Additional_document.domain_…
[2]
https://developer.mozilla.org/en/dom/window.postmessage
[3]
http://lists.wikimedia.org/pipermail/wikitech-l/2011-January/050972.html
[4]
https://bugzilla.wikimedia.org/show_bug.cgi?id=25886
[5]
https://bugzilla.wikimedia.org/show_bug.cgi?id=19907
--
Jérémie