[Bug 46560] New: non consistent X-Frame-Options

Tue, 26 Mar 2013 04:04:52 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=46560

       Web browser: ---
            Bug ID: 46560
           Summary: non consistent X-Frame-Options
           Product: MediaWiki
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: General/Unknown
          Assignee: wikibugs-l@lists.wikimedia.org
          Reporter: en...@walla.co.il
    Classification: Unclassified
   Mobile Platform: ---

The X-Frame-Options header delivered by Mediawiki (at least in Wikimedia
servers) for same-origin request isn't consistent: sometimes allowing frames
and sometimes deny, in unpredicted pattern.

I couldn't reproduce it in enwiki, but in hewiki I did, but only as a
registered user (as anonymous user it isn't reproducible). As far as I tested
it may be related to users right (my wgUserGroup is [bureaucrat,sysop,user,
autoconfirmed] in hewiki, and [user, autoconfirmed] in enwiki).

How do I test it:
1. get to some hewiki page (we don't want to do cross origin requests)
2. peek some of diff from recent changes (it should be latest edit [that can be
rolled back] or diff that hasn't been patrolled yet)
3. add iframe to it $('ul:first').append($('<iframe src="DIFF" width="50"
height="50"></iframe>')) - it fails (X-Frame-Options DENY)
4. peek some non latest diff [that isn't possible to rollback]
5. do the same - it successes (no X-Frame deny)
(Step3 always fails as registered, but success as anonymous)
I think it should be possible to reproduce the bug under different wikis if you
have sufficient rights.

Specific example for DIFFs:
1. non latest edit -
http://he.wikipedia.org/w/index.php?title=%D7%95%D7%99%D7%A7%D7%99%D7%A4%D7%93%D7%99%D7%94:%D7%91%D7%A7%D7%A9%D7%95%D7%AA_%D7%9E%D7%9E%D7%A4%D7%A2%D7%99%D7%9C%D7%99%D7%9D&diff=13937468&oldid=13937455
2. latest edit -
http://he.wikipedia.org/w/index.php?title=%D7%A8%D7%A4%D7%90%D7%9C_%D7%93%D7%9C_%D7%A8%D7%99%D7%92%D7%95&diff=13938631&oldid=13731530

I don't see a reason why same origin requests don't allow frames, but if there
is some reason to do so - it should be consistent.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to