Last modified: 2013-03-26 11:08:43 UTC
The X-Frame-Options header delivered by Mediawiki (at least in Wikimedia servers) for same-origin request isn't consistent: sometimes allowing frames and sometimes deny, in unpredicted pattern. I couldn't reproduce it in enwiki, but in hewiki I did, but only as a registered user (as anonymous user it isn't reproducible). As far as I tested it may be related to users right (my wgUserGroup is [bureaucrat,sysop,user, autoconfirmed] in hewiki, and [user, autoconfirmed] in enwiki). How do I test it: 1. get to some hewiki page (we don't want to do cross origin requests) 2. peek some of diff from recent changes (it should be latest edit [that can be rolled back] or diff that hasn't been patrolled yet) 3. add iframe to it $('ul:first').append($('<iframe src="DIFF" width="50" height="50"></iframe>')) - it fails (X-Frame-Options DENY) 4. peek some non latest diff [that isn't possible to rollback] 5. do the same - it successes (no X-Frame deny) (Step3 always fails as registered, but success as anonymous) I think it should be possible to reproduce the bug under different wikis if you have sufficient rights. Specific example for DIFFs: 1. non latest edit - http://he.wikipedia.org/w/index.php?title=%D7%95%D7%99%D7%A7%D7%99%D7%A4%D7%93%D7%99%D7%94:%D7%91%D7%A7%D7%A9%D7%95%D7%AA_%D7%9E%D7%9E%D7%A4%D7%A2%D7%99%D7%9C%D7%99%D7%9D&diff=13937468&oldid=13937455 2. latest edit - http://he.wikipedia.org/w/index.php?title=%D7%A8%D7%A4%D7%90%D7%9C_%D7%93%D7%9C_%D7%A8%D7%99%D7%92%D7%95&diff=13938631&oldid=13731530 I don't see a reason why same origin requests don't allow frames, but if there is some reason to do so - it should be consistent.