On 17/09/13 11:08, Gabriel Wicke wrote:
On 09/16/2013 04:34 PM, Brian Wolff wrote:
Additionally there is some security issues in ie6 when doing foo?action=raw if I recall.
Yes, IIRC some version of IE disregarded the Content-type header and guessed the content type based on the URL and the content. If the URL contained .php (only outside the query string?), it disabled this behavior.
Tim mentions in https://www.mediawiki.org/wiki/Special:Code/MediaWiki/49833#c3561 that this only applied to IE3 and earlier, and IE4 respects the Content-type header. As the market share of IE <= 3 is probably non-existent we could probably blacklist it from logging in and content API access altogether.
This issue affects IE at least up to IE 6, possibly later, see bug 28235.
-- Tim Starling