Brion Vibber wrote:
On Thu, Jun 2, 2011 at 2:20 PM, Roan Kattouwroan.kattouw@gmail.com wrote:
On Thu, Jun 2, 2011 at 10:56 PM, Brion Vibberbrion@pobox.com wrote:
Is there a way we can narrow down this security check so it doesn't keep breaking API requests, action=raw requests, and ResourceLoader requests, etc?
Tim had an idea about redirecting bad URLs to fixed ones. He ran it by me last night his time, and my guess is he'll probably implement it this morning his time. But I'll leave it up to him to elaborate on that.
I know this has already been brought up, but that doesn't work for POST, and may not work for API clients that don't automatically follow redirects. (Which it looks like includes MediaWiki's ForeignAPIRepo since our Http class got redirection turned off by default a couple versions ago.)
Luckily ForeignAPIRepo doesn't spoof IE6, so we can just redirect IE6.