Page MenuHomePhabricator
Create Task
Maniphest T173631

File Upload Wizard doesn't work well with X-Frame-Options set to be DENY on zhwiki
Closed, ResolvedPublic
Actions

Description

We imported the File Upload Wizard from English Wikipedia ([[:en:Wikipedia:File_Upload_Wizard]]) to Chinese Wikipedia ([[:zh:Wikipedia:上传/new]]).

It almost works but as the X-Frame-Options on zhwiki is set to DENY, the tool cannot get document from IFrame. Thus the upload result cannot be shown to the user. Maybe the value should be set SAMEORIGIN to fix this problem.

The bug was originally reported on village pump on zhwiki ([[:zh:Special:Diff/45718401]]) by Vozhuo.

Details

SubjectRepoBranchLines +/-
Set X-Frame-Options: SAMEORIGIN if UploadWizard enabledoperations/mediawiki-configmaster+1 -0
Customize query in gerrit

Related Objects

Event Timeline

Alexander_Misel created this task.Aug 19 2017, 5:00 PM
Restricted Application added subscribers: Stang, Aklapper. · View Herald TranscriptAug 19 2017, 5:00 PM
Aklapper added a comment.Aug 20 2017, 9:03 AM

Hi @Alexander_Misel, thanks for taking the time to report this!
Looking at https://noc.wikimedia.org/conf/InitialiseSettings.php.txt I see the lines

'wgApiFrameOptions' => [
	'default' => 'DENY',
	'enwiki' => 'SAMEORIGIN', // T41877
],

which might be the reason why this works on en.wp but not zh.wp?

(If you'd like to prepare a patch to change mediawiki-config/wmf-config/InitialiseSettings.php , you are very welcome to use developer access to submit the proposed code changes as a Git branch directly into Gerrit. If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader.)

Urbanecm claimed this task.Aug 20 2017, 11:44 AM
Urbanecm triaged this task as Medium priority.
Urbanecm subscribed.

Will do later today.

Restricted Application added a project: User-Urbanecm. · View Herald TranscriptAug 20 2017, 11:44 AM
gerritbot subscribed.Aug 20 2017, 11:56 AM

Change 372789 had a related patch set uploaded (by Gerrit Patch Uploader; owner: Alexander Misel):
[operations/mediawiki-config@master] Set X-Frame-Options: SAMEORIGIN if UploadWizard enabled

https://gerrit.wikimedia.org/r/372789

gerritbot added a project: Patch-For-Review.Aug 20 2017, 11:56 AM
Alexander_Misel added a comment.Aug 20 2017, 12:00 PM

@Aklapper I uploaded using diff tool and Gerrit Patch Uploader on https://gerrit.wikimedia.org/r/#/c/372789/. I'm not sure if I committed correctly.

Liuxinyu970226 subscribed.Aug 20 2017, 12:09 PM
Urbanecm reassigned this task from Urbanecm to Alexander_Misel.Aug 20 2017, 1:08 PM

Yes, it is correct! Assigning it to you then. There is one additional step needed! You must add it to one of SWAT windows (https://wikitech.wikimedia.org/wiki/Deployment) in order to get it merged and deployed. Then you need to be present in #wikimedia-operations during the SWAT time to test the patch and answer any questions. I can do it for you if you wish.

Urbanecm moved this task from Backlog to To deploy on the User-Urbanecm board.Aug 20 2017, 1:08 PM
Urbanecm moved this task from Backlog to To deploy on the Wikimedia-Site-requests board.
Alexander_Misel added a comment.Aug 20 2017, 1:34 PM

@Urbanecm Could you please do the additional step for me? Thank you.

Urbanecm added a comment.Aug 20 2017, 1:38 PM

Yes. This will be deployed at Monday, between 13:00 and 14:00 UTC.

gerritbot added a comment.Aug 21 2017, 1:41 PM

Change 372789 merged by Zfilipin:
[operations/mediawiki-config@master] Set X-Frame-Options: SAMEORIGIN if UploadWizard enabled

https://gerrit.wikimedia.org/r/372789

Stashbot subscribed.Aug 21 2017, 1:46 PM

Mentioned in SAL (#wikimedia-operations) [2017-08-21T13:46:29Z] <zfilipin@tin> Synchronized wmf-config/InitialiseSettings.php: SWAT: [[gerrit:372789|Set X-Frame-Options: SAMEORIGIN if UploadWizard enabled (T173631)]] (duration: 00m 44s)

Urbanecm closed this task as Resolved.Aug 21 2017, 1:48 PM

Deployed. Please do check if it works as expected and if you'll find any errors, please reopen&comment (by changing its status). Thank you!

Liuxinyu970226 unsubscribed.Aug 21 2017, 2:24 PM
Liuxinyu970226 added a project: Chinese-Sites.Aug 22 2017, 8:22 AM
Shizhao moved this task from Backlog to Closed on the Chinese-Sites board.Aug 23 2017, 11:26 AM
Stang unsubscribed.Nov 14 2021, 12:15 AM
Tgr mentioned this in T131183: Remove $wgApiFrameOptions = 'SAMEORIGIN' override for enwiki and zhwiki.Sep 7 2023, 9:06 AM
Maintenance_bot removed a project: Patch-For-Review.Sep 7 2023, 9:11 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits