no content sniffing headers break js for ie9
Closed, ResolvedPublic

Description

Since the fix for Bug #15461, we are telling browsers not to sniff content when we serve js with action=raw. At least IE9 and probably IE8 have problems. Probably the JS needs to be fixed to do ctype=text/javascript, but I'm filing this in case there are other possible solutions.


Version: 1.18.x
Severity: normal

bzimport added a project: MediaWiki-JavaScript.Via ConduitNov 21 2014, 11:48 PM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz31400.
MarkAHershberger created this task.Via LegacyOct 6 2011, 12:34 AM
brion added a comment.Via ConduitOct 6 2011, 12:36 AM

IE8 seems to take it even though it shouldn't. ;)

IE9 does reject the text/x-wiki script when we send X-Content-Options: nosniff -- this is probably correct behavior for it to do, and should be expected from at least some other browsers.

Anything that's loading up JS via action=raw needs to use &ctype=text/javascript -- stuff using importScript should already be using this and should be fine.

brion added a comment.Via ConduitOct 6 2011, 12:38 AM

http://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx

"SCRIPT and STYLESHEET elements will reject responses with incorrect MIME types if the server sends the response header X-Content-Type-Options: nosniff. This is a security feature that helps prevent attacks based on MIME-type confusion."

brion added a comment.Via ConduitOct 6 2011, 12:53 AM

Actually I think I see where this is happening!

The problem is the 'action=raw' without the ctype parameter... we guessed people were doing these manually, but I don't think they are.

importScript correctly adds the &ctype=text/javascript .... but it can get stripped in a redirect case.

The affected user's vector.js page loads up what's meant to be the same user's monobook.js by doing an importScript on a Special:MyPage subpage:

https://en.wikipedia.org/wiki/User:Shubinator/vector.js

importScript('Special:MyPage/monobook.js');

This goes off to load the very sensible:
https://en.wikipedia.org/w/index.php?title=Special:MyPage/monobook.js&action=raw&ctype=text/javascript

HOWEVER!

That then redirects us to the actual user page.... and drops the ctype parameter:
https://en.wikipedia.org/w/index.php?title=User:Brion_VIBBER/monobook.js&action=raw

So the actual bug looks like Special:MyPage not forwarding other query string parameters.

brion added a comment.Via ConduitOct 6 2011, 1:14 AM

Fixed on trunk in r99067 and REL1_18 in r99068.

Not merging to 1.18wmf1 to make sure we don't accidentally think it's already merged.

MarkAHershberger added a comment.Via ConduitOct 15 2011, 10:03 PM

tagging bugs for Marcus to look at

Add Comment