As discovered when investigating T199146: "Blocked" response when trying to access constraintsrdf action from production host, if the IP of the user is blocked by Mediawiki, the HTTP response still carries status 200. This is very wrong - if we did not do the action requested, and/or declined to perform the action requested, we should not return status 200.
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
Oppose, since this can leak whether the user is blocked to other sites. See https://xsleaks.dev/docs/attacks/error-events/