List of steps to reproduce (step by step, including full links if applicable):
- Visit Special:RecentChanges on your mediawiki
- Wait at least 3 seconds
What happens?:
Every 3 seconds, a javascript kicks in and performs a GET request on the server via XMLHttpRequest
The GET request includes a Content-Type request header, set to "html"
There are 2 issues with this:
- GET requests shouldn't have Content-Type headers (unlike POST, no data which could have a type is sent). This causes unnecessary alarms on mod_security.
- and even if html data was submitted (unusual), it should be text/html rather than just html
What should have happened instead?:
The GET request should not include a Content-Type header.
Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc.:
Mediawiki: 1:1.35.4-1+deb11u2
Browser: Firefox 91.8.0esr (64-bit)