On Tue, Oct 19, 2010 at 4:15 PM, Marco Schuster <
marco(a)harddisk.is-a-geek.org> wrote:
On Wed, Oct 20, 2010 at 12:49 AM, Krinkle
<krinklemail(a)gmail.com> wrote:
But the short version without /w/index.php but
with direct ?parameters
doensn't for for action=raw (&ctype=text/javascript)
See the errror on:
http://meta.wikimedia.org/wiki/User:Krinkle/global.js?action=raw
Strange. I'm sure this is to prevent users from using Wikipedia as
spy-javascript-hoster, but why does
http://meta.wikimedia.org/w/index.php?title=User:Krinkle/global.js&acti…
work then?
Internet Explorer, at least until recently (might finally be fixed?), would
sometimes interpret "file extensions" on the end of a URL's path component
as if they were meaningful file type information, especially when combined
with actual content-type headers it considered "ambiguous".
A pretty URL such as "
http://meta.wikimedia.org/wiki/Something.html?action=raw" would thus be
dangerous, as the ".html" on the end of the wiki page -- a completely
meaningless piece of an opaque URL path -- could trigger interpretation of
the file's content as actual HTML, etc, thus become a vector for JavaScript
injection into the wiki's same-origin security context.
To keep that nailed down, we forbade access to action=raw unless the URL's
path portion matched the wiki's core entry point exactly. There may be nicer
ways to do this now. :)
Back to the original issue -- I agree with Roan that the best way to go is
to make sure most such things as the BannerLoader get converted to use the
ResourceLoader interface, which eliminates the need to create and manage as
many JS/CSS special-page points like this.
I think BannerLoader is part of CentralNotice, which is Scary Code and may
or may not fit in nicely though. *shudder* If making short-term tweaks to it
without redoing it, be very careful about caching!
-- brion