Last modified: 2011-10-15 22:03:13 UTC
Since the fix for Bug #15461, we are telling browsers not to sniff content when we serve js with action=raw. At least IE9 and probably IE8 have problems. Probably the JS needs to be fixed to do ctype=text/javascript, but I'm filing this in case there are other possible solutions.
IE8 seems to take it even though it shouldn't. ;) IE9 does reject the text/x-wiki script when we send X-Content-Options: nosniff -- this is probably correct behavior for it to do, and should be expected from at least some other browsers. Anything that's loading up JS via action=raw needs to use &ctype=text/javascript -- stuff using importScript should already be using this and should be fine.
http://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx "SCRIPT and STYLESHEET elements will reject responses with incorrect MIME types if the server sends the response header X-Content-Type-Options: nosniff. This is a security feature that helps prevent attacks based on MIME-type confusion."
Actually I think I see where this is happening! The problem is the 'action=raw' without the ctype parameter... we guessed people were doing these manually, but I don't think they are. importScript correctly adds the &ctype=text/javascript .... but it can get stripped in a redirect case. The affected user's vector.js page loads up what's meant to be the same user's monobook.js by doing an importScript on a Special:MyPage subpage: https://en.wikipedia.org/wiki/User:Shubinator/vector.js importScript('Special:MyPage/monobook.js'); This goes off to load the very sensible: https://en.wikipedia.org/w/index.php?title=Special:MyPage/monobook.js&action=raw&ctype=text/javascript HOWEVER! That then redirects us to the actual user page.... and drops the ctype parameter: https://en.wikipedia.org/w/index.php?title=User:Brion_VIBBER/monobook.js&action=raw So the actual bug looks like Special:MyPage not forwarding other query string parameters.
Fixed on trunk in r99067 and REL1_18 in r99068. Not merging to 1.18wmf1 to make sure we don't accidentally think it's already merged.
tagging bugs for Marcus to look at