On Tue, Oct 19, 2010 at 4:15 PM, Marco Schuster < marco@harddisk.is-a-geek.org> wrote:
On Wed, Oct 20, 2010 at 12:49 AM, Krinkle krinklemail@gmail.com wrote:
But the short version without /w/index.php but with direct ?parameters doensn't for for action=raw (&ctype=text/javascript)
See the errror on:
http://meta.wikimedia.org/wiki/User:Krinkle/global.js?action=raw
Strange. I'm sure this is to prevent users from using Wikipedia as spy-javascript-hoster, but why does
http://meta.wikimedia.org/w/index.php?title=User:Krinkle/global.js&actio... work then?
Internet Explorer, at least until recently (might finally be fixed?), would sometimes interpret "file extensions" on the end of a URL's path component as if they were meaningful file type information, especially when combined with actual content-type headers it considered "ambiguous".
A pretty URL such as " http://meta.wikimedia.org/wiki/Something.html?action=raw" would thus be dangerous, as the ".html" on the end of the wiki page -- a completely meaningless piece of an opaque URL path -- could trigger interpretation of the file's content as actual HTML, etc, thus become a vector for JavaScript injection into the wiki's same-origin security context.
To keep that nailed down, we forbade access to action=raw unless the URL's path portion matched the wiki's core entry point exactly. There may be nicer ways to do this now. :)
Back to the original issue -- I agree with Roan that the best way to go is to make sure most such things as the BannerLoader get converted to use the ResourceLoader interface, which eliminates the need to create and manage as many JS/CSS special-page points like this.
I think BannerLoader is part of CentralNotice, which is Scary Code and may or may not fit in nicely though. *shudder* If making short-term tweaks to it without redoing it, be very careful about caching!
-- brion