Respect $wgApiFrameOptions in formatted API output mode

This restores the pre- d25cb992 behaviour. Apparently UploadWizard's
flickr module relies on this (Which seems rather wrong, but
regardless I still think api handling of $wgApiFrameOptions should
extend to the "fm" modes.)

Note: If $wgBreakFrames is true, then frames will still be broken.
Although this is a change from prior behaviour, it makes sense
to me that $wgBreakFrames would not allow the human readable output
of the API be frammed.

Bug: 72340
Change-Id: Ia61a4698f7044acfcd7339207590d9333f4100cb

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index af36a64..d45e573 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -3079,6 +3079,7 @@ $wgEditPageFrameOptions = 'DENY';
  *   - 'DENY': Do not allow framing. This is recommended for most wikis.
  *   - 'SAMEORIGIN': Allow framing by pages on the same domain.
  *   - false: Allow all framing.
+ * Note: $wgBreakFrames will override this for human formatted API output.
  */
 $wgApiFrameOptions = 'DENY';
 

diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index f0037bb..62705ef 100644 (file)
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -178,6 +178,9 @@ abstract class ApiFormatBase extends ApiBase {
                                );
                        }
 
+                       // API handles its own clickjacking protection.
+                       // Note, that $wgBreakFrames will still override $wgApiFrameOptions for format mode.
+                       $out->allowClickJacking();
                        $out->output();
                } else {
                        // For non-HTML output, clear all errors that might have been