Last modified: 2013-10-23 15:57:23 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T41877, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 39877 - X-Frame-Options: DENY in API responses breaks UploadWizard in IE8, consider using SAMEORIGIN instead
X-Frame-Options: DENY in API responses breaks UploadWizard in IE8, consider u...
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.20.x
All All
: High normal (vote)
: ---
Assigned To: Sam Reed (reedy)
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-01 02:45 UTC by Roan Kattouw
Modified: 2013-10-23 15:57 UTC (History)
9 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Roan Kattouw 2012-09-01 02:45:40 UTC 
The fix for bug 39180 ( https://gerrit.wikimedia.org/r/20472 ) broke UploadWizard in IE, because it uses an iframe to submit a form that includes a file upload input. This has to be done with a form submission rather than AJAX because it involves a file upload, and it has to be done in an iframe to prevent the browser from navigating away from the page. In modern browsers, it uses a combination of FileAPI and binary XHR so an iframe isn't needed, but in IE these features aren't available so it falls back to using an iframe.

I am now working around this on the live site by setting $wgApiFrameOptions = 'SAMEORIGIN'; for all wikis that have UploadWizard. We couldn't reach Chris to get his input on this, but RobLa approved it on his behalf.

Filed this bug because the above is a temporary hack and we should discuss a more permanent solution.
Comment 1 Roan Kattouw 2012-09-01 02:49:52 UTC 
(In reply to comment #0)
> I am now working around this on the live site by setting $wgApiFrameOptions =
> 'SAMEORIGIN'; for all wikis that have UploadWizard. We couldn't reach Chris to
> get his input on this, but RobLa approved it on his behalf.
>
https://gerrit.wikimedia.org/r/22290 , merged and deployed.
Comment 2 Ryan Kaldari 2012-09-01 03:06:40 UTC 
Also affects IE9 apparently.
Comment 3 Derk-Jan Hartman 2012-09-05 10:03:53 UTC 
It affects all browsers that use the iframe uploader of UploadWizard. You can reproduce in other browsers by setting:

$wgUploadWizardConfig = array(
        'enableFormData' => false,
);

Also affects http://mwreview.wmflabs.org/wiki/index.php/Special:UploadWizard btw
Comment 4 Rainer Rillke @commons.wikimedia 2012-09-18 17:26:47 UTC 
Please set en.wp also to 'SAMEORIGIN'
 Reason: Community script for uploading files broken.
 https://en.wikipedia.org/wiki/Wikipedia:File_Upload_Wizard
Comment 5 Gerrit Notification Bot 2013-09-04 21:45:31 UTC 
Change 82751 had a related patch set uploaded by CSteipp:
Enable XFO: SAMEORIGIN for enwiki

https://gerrit.wikimedia.org/r/82751
Comment 6 Chris Steipp 2013-09-04 21:47:48 UTC 
There was some confusion, since Gerrit change #22290 enables SAMEORIGIN for wikis where UploadWizard is enabled. However, it's disabled on enwiki, so this patch will also enable it there.
Comment 7 Gerrit Notification Bot 2013-09-16 19:00:44 UTC 
Change 82751 merged by jenkins-bot:
Enable XFO: SAMEORIGIN for enwiki

https://gerrit.wikimedia.org/r/82751
Comment 8 Rob Lanphier 2013-10-23 15:50:10 UTC 
Presumably deployed by now
Comment 9 Mark Holmquist 2013-10-23 15:57:23 UTC 
Just confirmed that SAMEORIGIN is returned on API calls.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links