2011/1/9 Roan Kattouw <roan.kattouw(a)gmail.com>om>:
2011/1/9 Jérémie Roquet <arkanosis(a)gmail.com>om>:
- It would be very nice to have CORS enabled
across the Wiki[mp]edia
subdomains (I see it has been mentioned by Brion in the `JavaScript
access to uploaded file contents' thread [3][4] for
upload.wikimedia.org) => is it something that can be done / discussed?
This has
been discussed in a few contexts now, and we all seem to
agree that this is a good idea and should definitely be enabled. I'd
propose doing this after we deploy 1.17wmf1 and stuff has calmed down
a bit (it's not uncommon for things to break after a major
deployment).
Hi Roan. It's great if there's no major opposition to it :)
I looks like
the code for this is already there [5], maybe I should
open a new bug right now?
Would be nice to track it in BZ, yes.
Will do so and give the link there. Thanks!
2011/1/9 Aryeh Gregor <Simetrical+wikilist(a)gmail.com>om>:
I don't see any detailed documentation for
X-Frame-Options anywhere.
It looks like IE8 made it up with no detailed spec and other browsers
copied the general idea still with no detailed spec. So I don't know,
sorry.
No worries :) Thanks again.
2011/1/9 Ilmari Karonen <nospam(a)vyznev.net>et>:
Both of them
use a trick with an iframe to allow javascript requests
across the
wikipedia.org subdomains (something that is not possible
using AJAX).
Use JSONP. The MediaWiki API supports it through the
"callback" parameter.
Hi Ilmari, great idea!
It's not as powerful as the iframe hack was (since it's limited to
the api), but I think it's enough for me to release a quick fix for
iKiwi (not for xmsg, unfortunately, because userinfo is not accessible
that way).
I didn't know about the callback parameter, so you just saved my
business ;-) Thanks a lot!
2011/1/10 Tim Starling <tstarling(a)wikimedia.org>rg>:
On 10/01/11 01:23, Jérémie Roquet wrote:
- Taking the document.domain trick into account
⇒ would setting
X-Frame-Options to SAMEORIGIN instead of DENY allow frames between
/sub/domains?
No, SAMEORIGIN does not allow framing from say
en.wikipedia.org to
fr.wikipedia.org. It only allows framing within the exact same domain.
http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickja…
Hi Tim, thanks for the link and the explanations!
--
Jérémie