As we were investigating T280428 we noticed that ResourceLoader output at https://fa.wikipedia.org/w/load.php?lang=fa&only=styles&skin=vector&modules=skins.vector.icons%2Cstyles contains an @import statement that is followed by the internal path of a file on WMF production servers:
Internal paths should never leak into the client-side output of RL. Not only this could be a security risk (particularly for non-WMF wikis), but also these paths are not usable by the client.
Not tagging this task as Security because what is leaked here is of no risk to WMF. But if it should be tagged as such in the interest of non-WMF wikis, please modify.