Last modified: 2013-10-23 15:57:23 UTC
The fix for bug 39180 ( https://gerrit.wikimedia.org/r/20472 ) broke UploadWizard in IE, because it uses an iframe to submit a form that includes a file upload input. This has to be done with a form submission rather than AJAX because it involves a file upload, and it has to be done in an iframe to prevent the browser from navigating away from the page. In modern browsers, it uses a combination of FileAPI and binary XHR so an iframe isn't needed, but in IE these features aren't available so it falls back to using an iframe. I am now working around this on the live site by setting $wgApiFrameOptions = 'SAMEORIGIN'; for all wikis that have UploadWizard. We couldn't reach Chris to get his input on this, but RobLa approved it on his behalf. Filed this bug because the above is a temporary hack and we should discuss a more permanent solution.
(In reply to comment #0) > I am now working around this on the live site by setting $wgApiFrameOptions = > 'SAMEORIGIN'; for all wikis that have UploadWizard. We couldn't reach Chris to > get his input on this, but RobLa approved it on his behalf. > https://gerrit.wikimedia.org/r/22290 , merged and deployed.
Also affects IE9 apparently.
It affects all browsers that use the iframe uploader of UploadWizard. You can reproduce in other browsers by setting: $wgUploadWizardConfig = array( 'enableFormData' => false, ); Also affects http://mwreview.wmflabs.org/wiki/index.php/Special:UploadWizard btw
Please set en.wp also to 'SAMEORIGIN' Reason: Community script for uploading files broken. https://en.wikipedia.org/wiki/Wikipedia:File_Upload_Wizard
Change 82751 had a related patch set uploaded by CSteipp: Enable XFO: SAMEORIGIN for enwiki https://gerrit.wikimedia.org/r/82751
There was some confusion, since Gerrit change #22290 enables SAMEORIGIN for wikis where UploadWizard is enabled. However, it's disabled on enwiki, so this patch will also enable it there.
Change 82751 merged by jenkins-bot: Enable XFO: SAMEORIGIN for enwiki https://gerrit.wikimedia.org/r/82751
Presumably deployed by now
Just confirmed that SAMEORIGIN is returned on API calls.