On Thu, Oct 1, 2015 at 2:12 AM, Ad Strack van Schijndel < [email protected]> wrote:
> Hi Chris, > > Thanks for your answer! One thing I don't understand is about the XFO > headers. > Do we have to add them or is it a condition that we don't have them. > You should add them. MediaWiki will set X-Frame-Options: DENY by default on API results and edit pages, but if you have a login box on every page, then you'll need to set that from your webserver for every page (or you could add a patch to mediawiki to do it). > > Ad > > > Op 30 sep. 2015, om 17:48 heeft Chris Steipp <[email protected]> het > volgende geschreven: > > Hi Ad, > > There are some security considerations if you're going to do that: > > * We disable site and user .js on Special:UserLogin, so a malicious admin > can't add password sniffing javascript to the login page > * We disable framing the page to prevent various redressing attacks > * If your site is mixed http/https, there is special handling on that page > to ensure the user enters/submits their password over https. > * If you're using CentralAuth or another SSO system, then we check if > you're logged in on Special:UserLogin, to work around some browser cookie > policies. > > So it's *usually* not a good idea to create your own login widget. But if > you're running your site entirely under https, have a limited number of > admins, add XFO headers on all pages, and don't use any SSO system, then go > for it! > > > > On Tuesday, September 29, 2015, Ad Strack van Schijndel < > [email protected]> wrote: > > > Hi, > > > > Is there a way to embed the login and/or the account creation on normal > > pages? > > > > I would like to have the possibility to login in a sidebar as long as the > > user is anonymous. So that there are no extra clicks to login. > > > > I'm sure if there isn't, there is a very good reason for that and I would > > like to understand that reason. > > > > Ad > > _______________________________________________ > > MediaWiki-l mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
