Page MenuHomePhabricator

Remove $wgApiFrameOptions = 'SAMEORIGIN' override for enwiki (English Wikipedia)
Open, Stalled, NormalPublic

Description

What would it take for us to be able to remove $wgApiFrameOptions = 'SAMEORIGIN' override for enwiki?

See also T131182.

Event Timeline

matmarex created this task.Mar 29 2016, 6:24 PM
Restricted Application added subscribers: Malyacko, JEumerus, Matanya, Aklapper. · View Herald TranscriptMar 29 2016, 6:24 PM

Per T41877, this was needed for https://en.wikipedia.org/wiki/Wikipedia:File_Upload_Wizard to work. Is it still? @Rillke, do you know if that tool has been updated to use something saner since 2012?

matmarex claimed this task.Mar 29 2016, 6:25 PM
Rillke added a comment.EditedMar 29 2016, 7:26 PM

https://en.wikipedia.org/wiki/MediaWiki:FileUploadWizard.js

// However, since api.php sends back a response page that humans won't want to read,
// we'll have to channel that response away and discard it. We'll use a hidden iframe
// for that purpose.
// Unfortunately, it doesn't seem possible to submit file upload content through an 
// Xmlhtml object via Ajax.

Last update was 11:26, 24. Jun. 2015‎ and at this time, MediaWiki still supported IE8 so iframe upload was still required.

Brought up the issue at the script's talk page.

Hmm. Do *you* really want to support IE 8/9 with that tool, though? It
would probably be fine to just point these users to the plain
Special:Upload form.

(MediaWiki doesn't support IE 8 anymore, but IE 9 can't upload files
through XMLHTTPRequest either. IE 10 can.)

Do *you* really

I, the community or Future Perfect at Sunrise? I don't want.

would probably be fine to just point these users to the plain Special:Upload form.

I think the issue they've been trying to solve with that script was something with the workflow, mainly getting fair use material upload to WP and sending the free stuff to Commons.

matmarex removed matmarex as the assignee of this task.Apr 1 2016, 5:16 PM

https://en.wikipedia.org/wiki/MediaWiki:FileUploadWizard.js

// However, since api.php sends back a response page that humans won't want to read,
// we'll have to channel that response away and discard it. We'll use a hidden iframe
// for that purpose.
// Unfortunately, it doesn't seem possible to submit file upload content through an 
// Xmlhtml object via Ajax.

Last update was 11:26, 24. Jun. 2015‎ and at this time, MediaWiki still supported IE8 so iframe upload was still required.
Brought up the issue at the script's talk page.

(just so it while reviewing the configuration) Do we really need it these days?

It appears still necessary to support FileUploadWizard.js, until that tool is updated to use more modern APIs (it is now definitely possible to "submit file upload content through an Xmlhtml object via Ajax").