[MediaWiki-l] Embedded login and account creation

Chris Steipp csteipp at wikimedia.org
Thu Oct 1 16:12:25 UTC 2015


On Thu, Oct 1, 2015 at 2:12 AM, Ad Strack van Schijndel <
ad.strackvanschijndel at gmail.com> wrote:

> Hi Chris,
>
> Thanks for your answer! One thing I don't understand is about the XFO
> headers.
> Do we have to add them or is it a condition that we don't have them.
>

You should add them.

MediaWiki will set X-Frame-Options: DENY by default on API results and edit
pages, but if you have a login box on every page, then you'll need to set
that from your webserver for every page (or you could add a patch to
mediawiki to do it).


>
> Ad
>
>
> Op 30 sep. 2015, om 17:48 heeft Chris Steipp <csteipp at wikimedia.org> het
> volgende geschreven:
>
> Hi Ad,
>
> There are some security considerations if you're going to do that:
>
> * We disable site and user .js on Special:UserLogin, so a malicious admin
> can't add password sniffing javascript to the login page
> * We disable framing the page to prevent various redressing attacks
> * If your site is mixed http/https, there is special handling on that page
> to ensure the user enters/submits their password over https.
> * If you're using CentralAuth or another SSO system, then we check if
> you're logged in on Special:UserLogin, to work around some browser cookie
> policies.
>
> So it's *usually* not a good idea to create your own login widget. But if
> you're running your site entirely under https, have a limited number of
> admins, add XFO headers on all pages, and don't use any SSO system, then go
> for it!
>
>
>
> On Tuesday, September 29, 2015, Ad Strack van Schijndel <
> ad.strackvanschijndel at gmail.com> wrote:
>
> > Hi,
> >
> > Is there a way to embed the login and/or the account creation on normal
> > pages?
> >
> > I would like to have the possibility to login in a sidebar as long as the
> > user is anonymous. So that there are no extra clicks to login.
> >
> > I'm sure if there isn't, there is a very good reason for that and I would
> > like to understand that reason.
> >
> > Ad
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


More information about the MediaWiki-l mailing list