The X-Frame-Options header delivered by Mediawiki (at least in Wikimedia servers) for same-origin request isn't consistent: sometimes allowing frames and sometimes deny, in unpredicted pattern.
I couldn't reproduce it in enwiki, but in hewiki I did, but only as a registered user (as anonymous user it isn't reproducible). As far as I tested it may be related to users right (my wgUserGroup is [bureaucrat,sysop,user, autoconfirmed] in hewiki, and [user, autoconfirmed] in enwiki).
How do I test it:
- get to some hewiki page (we don't want to do cross origin requests)
- peek some of diff from recent changes (it should be latest edit [that can be rolled back] or diff that hasn't been patrolled yet)
- add iframe to it $('ul:first').append($('<iframe src="DIFF" width="50" height="50"></iframe>')) - it fails (X-Frame-Options DENY)
- peek some non latest diff [that isn't possible to rollback]
- do the same - it successes (no X-Frame deny)
(Step3 always fails as registered, but success as anonymous)
I think it should be possible to reproduce the bug under different wikis if you have sufficient rights.
Specific example for DIFFs:
- non latest edit - http://he.wikipedia.org/w/index.php?title=%D7%95%D7%99%D7%A7%D7%99%D7%A4%D7%93%D7%99%D7%94:%D7%91%D7%A7%D7%A9%D7%95%D7%AA_%D7%9E%D7%9E%D7%A4%D7%A2%D7%99%D7%9C%D7%99%D7%9D&diff=13937468&oldid=13937455
- latest edit - http://he.wikipedia.org/w/index.php?title=%D7%A8%D7%A4%D7%90%D7%9C_%D7%93%D7%9C_%D7%A8%D7%99%D7%92%D7%95&diff=13938631&oldid=13731530
I don't see a reason why same origin requests don't allow frames, but if there is some reason to do so - it should be consistent.
Version: 1.21.x
Severity: normal