On Tue, Oct 19, 2010 at 4:15 PM, Marco Schuster < [email protected]> wrote:
> On Wed, Oct 20, 2010 at 12:49 AM, Krinkle <[email protected]> wrote: > > But the short version without /w/index.php but with direct ?parameters > > doensn't for for action=raw (&ctype=text/javascript) > > > > See the errror on: > http://meta.wikimedia.org/wiki/User:Krinkle/global.js?action=raw > > Strange. I'm sure this is to prevent users from using Wikipedia as > spy-javascript-hoster, but why does > > http://meta.wikimedia.org/w/index.php?title=User:Krinkle/global.js&action=raw > work then? > Internet Explorer, at least until recently (might finally be fixed?), would sometimes interpret "file extensions" on the end of a URL's path component as if they were meaningful file type information, especially when combined with actual content-type headers it considered "ambiguous". A pretty URL such as " http://meta.wikimedia.org/wiki/Something.html?action=raw"; would thus be dangerous, as the ".html" on the end of the wiki page -- a completely meaningless piece of an opaque URL path -- could trigger interpretation of the file's content as actual HTML, etc, thus become a vector for JavaScript injection into the wiki's same-origin security context. To keep that nailed down, we forbade access to action=raw unless the URL's path portion matched the wiki's core entry point exactly. There may be nicer ways to do this now. :) Back to the original issue -- I agree with Roan that the best way to go is to make sure most such things as the BannerLoader get converted to use the ResourceLoader interface, which eliminates the need to create and manage as many JS/CSS special-page points like this. I think BannerLoader is part of CentralNotice, which is Scary Code and may or may not fit in nicely though. *shudder* If making short-term tweaks to it without redoing it, be very careful about caching! -- brion _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
