Michael Dale wrote:
Turns out IE prompts the user to save the file irregardless of "application/json" to 'text/javascript' format. (if its not include via script tag )
Instead of witting or integrate an XML -> json converter that matches the xml output with the json output ... I am inclined to just quickly add a param that lets us output the json to "text/plain" purely because its faster to integrate. added in r55113
for now this just solves the specific issue of submitting a enctype="multipart/form-data" form to an iframe target and getting the response in similar way that you grab other json api request.
Also added type output per: http://simonwillison.net/2009/Feb/6/json/#c43376
I don't see this as posing security risk as its just a mime type interpretation issue the normal cross site ajax restrictions are still in place. (ie you cant do an cross site iframe and view the result of the output)
The problem is not the expected usage.
Can you confirm that viewing something like http://test.wikipedia.org/w/api.php?action=query&prop=revisions&titl... on Internet Explorer won't get the javascript executed?