On 17/09/13 14:01, Gabriel Wicke wrote:
On 09/16/2013 07:48 PM, Tim Starling wrote:
On 17/09/13 11:08, Gabriel Wicke wrote:
Tim mentions in https://www.mediawiki.org/wiki/Special:Code/MediaWiki/49833#c3561 that this only applied to IE3 and earlier, and IE4 respects the Content-type header. As the market share of IE <= 3 is probably non-existent we could probably blacklist it from logging in and content API access altogether.
This issue affects IE at least up to IE 6, possibly later, see bug 28235.
Thanks for the pointer! It is sad that IE6 (and likely IE7) is still haunting us. IE8+ is covered by the X-Content-Type-Options header.
It sounds like your Content-Disposition solution [1] should still work for IE6/7 where that header is not used otherwise. The existing users of that header all seem to be file-related. Did I miss any use in action handlers?
I'm assuming you can grep for Content-Disposition as well as I can. IIRC, the difficulty with Content-Disposition, in the context of a security patch, was the need to abstract handling of the header out of the various places that send it, so that it would be consistent and demonstrably secure. That would have made the security patch larger and more complex than it needed to be, which would have been a problem for backporters. That shouldn't be a concern for your feature.
-- Tim Starling