Last modified: 2011-10-15 22:03:13 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T33400, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 31400 - no content sniffing headers break js for ie9
no content sniffing headers break js for ie9
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
JavaScript (Other open bugs)
1.18.x
All All
: Unprioritized normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: need-integration-test
Depends on:
Blocks: 29876
  Show dependency treegraph
 
Reported: 2011-10-06 00:34 UTC by Mark A. Hershberger
Modified: 2011-10-15 22:03 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Mark A. Hershberger 2011-10-06 00:34:29 UTC 
Since the fix for Bug #15461, we are telling browsers not to sniff content when we serve js with action=raw.  At least IE9 and probably IE8 have problems.  Probably the JS needs to be fixed to do ctype=text/javascript, but I'm filing this in case there are other possible solutions.
Comment 1 Brion Vibber 2011-10-06 00:36:28 UTC 
IE8 seems to take it even though it shouldn't. ;)

IE9 does reject the text/x-wiki script when we send X-Content-Options: nosniff -- this is probably correct behavior for it to do, and should be expected from at least some other browsers.

Anything that's loading up JS via action=raw needs to use &ctype=text/javascript -- stuff using importScript should already be using this and should be fine.
Comment 2 Brion Vibber 2011-10-06 00:38:47 UTC 
http://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx

"SCRIPT and STYLESHEET elements will reject responses with incorrect MIME types if the server sends the response header X-Content-Type-Options: nosniff. This is a security feature that helps prevent attacks based on MIME-type confusion."
Comment 3 Brion Vibber 2011-10-06 00:53:25 UTC 
Actually I think I see where this is happening!

The problem is the 'action=raw' without the ctype parameter... we guessed people were doing these manually, but I don't think they are.

importScript correctly adds the &ctype=text/javascript .... but it can get stripped in a redirect case.

The affected user's vector.js page loads up what's meant to be the same user's monobook.js by doing an importScript on a Special:MyPage subpage:


https://en.wikipedia.org/wiki/User:Shubinator/vector.js

  importScript('Special:MyPage/monobook.js');

This goes off to load the very sensible:
https://en.wikipedia.org/w/index.php?title=Special:MyPage/monobook.js&action=raw&ctype=text/javascript

HOWEVER!

That then redirects us to the actual user page.... and drops the ctype parameter:
https://en.wikipedia.org/w/index.php?title=User:Brion_VIBBER/monobook.js&action=raw

So the actual bug looks like Special:MyPage not forwarding other query string parameters.
Comment 4 Brion Vibber 2011-10-06 01:14:04 UTC 
Fixed on trunk in r99067 and REL1_18 in r99068.

Not merging to 1.18wmf1 to make sure we don't accidentally think it's already merged.
Comment 5 Mark A. Hershberger 2011-10-15 22:03:13 UTC 
tagging bugs for Marcus to look at
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links