2011/1/9 Roan Kattouw <[email protected]>: > 2011/1/9 Jérémie Roquet <[email protected]>: >> - It would be very nice to have CORS enabled across the Wiki[mp]edia >> subdomains (I see it has been mentioned by Brion in the `JavaScript >> access to uploaded file contents' thread [3][4] for >> upload.wikimedia.org) => is it something that can be done / discussed? > This has been discussed in a few contexts now, and we all seem to > agree that this is a good idea and should definitely be enabled. I'd > propose doing this after we deploy 1.17wmf1 and stuff has calmed down > a bit (it's not uncommon for things to break after a major > deployment).
Hi Roan. It's great if there's no major opposition to it :) >> I looks like the code for this is already there [5], maybe I should >> open a new bug right now? > Would be nice to track it in BZ, yes. Will do so and give the link there. Thanks! 2011/1/9 Aryeh Gregor <[email protected]>: > I don't see any detailed documentation for X-Frame-Options anywhere. > It looks like IE8 made it up with no detailed spec and other browsers > copied the general idea still with no detailed spec. So I don't know, > sorry. No worries :) Thanks again. 2011/1/9 Ilmari Karonen <[email protected]>: >> Both of them use a trick with an iframe to allow javascript requests >> across the wikipedia.org subdomains (something that is not possible >> using AJAX). > Use JSONP. The MediaWiki API supports it through the "callback" parameter. Hi Ilmari, great idea! It's not as powerful as the iframe hack was (since it's limited to the api), but I think it's enough for me to release a quick fix for iKiwi (not for xmsg, unfortunately, because userinfo is not accessible that way). I didn't know about the callback parameter, so you just saved my business ;-) Thanks a lot! 2011/1/10 Tim Starling <[email protected]>: > On 10/01/11 01:23, Jérémie Roquet wrote: >> - Taking the document.domain trick into account ⇒ would setting >> X-Frame-Options to SAMEORIGIN instead of DENY allow frames between >> /sub/domains? > No, SAMEORIGIN does not allow framing from say en.wikipedia.org to > fr.wikipedia.org. It only allows framing within the exact same domain. > http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx Hi Tim, thanks for the link and the explanations! -- Jérémie _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
