Page MenuHomePhabricator

X-Frame-Options: DENY in API responses breaks UploadWizard in IE8, consider using SAMEORIGIN instead
Closed, ResolvedPublic

Description

The fix for bug 39180 ( https://gerrit.wikimedia.org/r/20472 ) broke UploadWizard in IE, because it uses an iframe to submit a form that includes a file upload input. This has to be done with a form submission rather than AJAX because it involves a file upload, and it has to be done in an iframe to prevent the browser from navigating away from the page. In modern browsers, it uses a combination of FileAPI and binary XHR so an iframe isn't needed, but in IE these features aren't available so it falls back to using an iframe.

I am now working around this on the live site by setting $wgApiFrameOptions = 'SAMEORIGIN'; for all wikis that have UploadWizard. We couldn't reach Chris to get his input on this, but RobLa approved it on his behalf.

Filed this bug because the above is a temporary hack and we should discuss a more permanent solution.


Version: 1.20.x
Severity: normal

Details

Reference
bz39877

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 12:55 AM
bzimport set Reference to bz39877.

(In reply to comment #0)

I am now working around this on the live site by setting $wgApiFrameOptions =
'SAMEORIGIN'; for all wikis that have UploadWizard. We couldn't reach Chris to
get his input on this, but RobLa approved it on his behalf.

https://gerrit.wikimedia.org/r/22290 , merged and deployed.

It affects all browsers that use the iframe uploader of UploadWizard. You can reproduce in other browsers by setting:

$wgUploadWizardConfig = array(

'enableFormData' => false,

);

Also affects http://mwreview.wmflabs.org/wiki/index.php/Special:UploadWizard btw

Please set en.wp also to 'SAMEORIGIN'
Reason: Community script for uploading files broken.
https://en.wikipedia.org/wiki/Wikipedia:File_Upload_Wizard

Change 82751 had a related patch set uploaded by CSteipp:
Enable XFO: SAMEORIGIN for enwiki

https://gerrit.wikimedia.org/r/82751

There was some confusion, since gerrit 22290 enables SAMEORIGIN for wikis where UploadWizard is enabled. However, it's disabled on enwiki, so this patch will also enable it there.

Change 82751 merged by jenkins-bot:
Enable XFO: SAMEORIGIN for enwiki

https://gerrit.wikimedia.org/r/82751

Just confirmed that SAMEORIGIN is returned on API calls.