no content sniffing headers break js for ie9
Closed, ResolvedPublic

Description

Since the fix for Bug #15461, we are telling browsers not to sniff content when we serve js with action=raw. At least IE9 and probably IE8 have problems. Probably the JS needs to be fixed to do ctype=text/javascript, but I'm filing this in case there are other possible solutions.


Version: 1.18.x
Severity: normal

bzimport added a project: MediaWiki-JavaScript.Via ConduitNov 21 2014, 11:48 PM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz31400.
MarkAHershberger created this task.Via LegacyOct 6 2011, 12:34 AM
brion added a comment.Via ConduitOct 6 2011, 12:36 AM

IE8 seems to take it even though it shouldn't. ;)

IE9 does reject the text/x-wiki script when we send X-Content-Options: nosniff -- this is probably correct behavior for it to do, and should be expected from at least some other browsers.

Anything that's loading up JS via action=raw needs to use &ctype=text/javascript -- stuff using importScript should already be using this and should be fine.

brion added a comment.Via ConduitOct 6 2011, 12:38 AM

http://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx

"SCRIPT and STYLESHEET elements will reject responses with incorrect MIME types if the server sends the response header X-Content-Type-Options: nosniff. This is a security feature that helps prevent attacks based on MIME-type confusion."

brion added a comment.Via ConduitOct 6 2011, 12:53 AM

Actually I think I see where this is happening!

The problem is the 'action=raw' without the ctype parameter... we guessed people were doing these manually, but I don't think they are.

importScript correctly adds the &ctype=text/javascript .... but it can get stripped in a redirect case.

The affected user's vector.js page loads up what's meant to be the same user's monobook.js by doing an importScript on a Special:MyPage subpage:

https://en.wikipedia.org/wiki/User:Shubinator/vector.js

importScript('Special:MyPage/monobook.js');

This goes off to load the very sensible:
https://en.wikipedia.org/w/index.php?title=Special:MyPage/monobook.js&action=raw&ctype=text/javascript

HOWEVER!

That then redirects us to the actual user page.... and drops the ctype parameter:
https://en.wikipedia.org/w/index.php?title=User:Brion_VIBBER/monobook.js&action=raw

So the actual bug looks like Special:MyPage not forwarding other query string parameters.

brion added a comment.Via ConduitOct 6 2011, 1:14 AM

Fixed on trunk in r99067 and REL1_18 in r99068.

Not merging to 1.18wmf1 to make sure we don't accidentally think it's already merged.

MarkAHershberger added a comment.Via ConduitOct 15 2011, 10:03 PM

tagging bugs for Marcus to look at

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.