On 09/16/2013 04:34 PM, Brian Wolff wrote:
Additionally there is some security issues in ie6 when doing foo?action=raw if I recall.
Yes, IIRC some version of IE disregarded the Content-type header and guessed the content type based on the URL and the content. If the URL contained .php (only outside the query string?), it disabled this behavior.
Tim mentions in https://www.mediawiki.org/wiki/Special:Code/MediaWiki/49833#c3561 that this only applied to IE3 and earlier, and IE4 respects the Content-type header. As the market share of IE <= 3 is probably non-existent we could probably blacklist it from logging in and content API access altogether.
According to [1] and [2] there is also a 'X-Content-Type-Options: nosniff' header that disables this behavior for IE and Chrome. I doubt that it works in IE3 though. Anybody up for some testing with an ancient IE3 install?
Gabriel
[1]: http://msdn.microsoft.com/en-us/library/dd565661(v=vs.85).aspx [2]: https://www.owasp.org/index.php/List_of_useful_HTTP_headers