Page MenuHomePhabricator

interwiki forwarding doesn't work for importScript()
Open, NormalPublic

Description

For example, here's a transcript from Firefox 24's Web Console on [[s:en:Help:Introduction]]:

[13:03:11.991] importScript('w:en:User:Jackmcbarn/advancedtemplatesandbox.js')
[13:03:12.029] [object HTMLScriptElement]
[13:03:12.225] GET https://en.wikisource.org/w/index.php?title=w:en:User:Jackmcbarn/advancedtemplatesandbox.js&action=raw&ctype=text/javascript [HTTP/1.1 301 Moved Permanently 156ms]
[13:03:12.728] GET https://en.wikipedia.org/wiki/en:User:Jackmcbarn/advancedtemplatesandbox.js?action=raw&ctype=text%2Fjavascript [HTTP/1.1 403 Forbidden 203ms]

In English, what happened is:

  1. I ran "importScript('w:en:User:Jackmcbarn/advancedtemplatesandbox.js')"
  2. importScript() (correctly) tried to load the script from the URL https://en.wikisource.org/w/index.php?title=w:en:User:Jackmcbarn/advancedtemplatesandbox.js&action=raw&ctype=text/javascript
  3. en.wikisource.org tried to forward that to https://en.wikipedia.org/wiki/en:User:Jackmcbarn/advancedtemplatesandbox.js?action=raw&ctype=text%2Fjavascript
  4. en.wikipedia.org rejected the resulting request, reportedly because of something bad IE does with such URLs

If en.wikisource.org would forward to https://en.wikipedia.org/w/index.php?title=User:Jackmcbarn/advancedtemplatesandbox.js&action=raw&ctype=text/javascript instead, this whole thing would actually work.


Version: unspecified
Severity: normal

Details

Reference
bz63381

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 3:05 AM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz63381.
bzimport added a subscriber: Unknown Object (MLST).
SamB created this task.Apr 1 2014, 6:04 PM
SamB added a comment.Apr 2 2014, 12:32 AM

Oh, I forgot to mention the motivation for this to work, which is that this syntax would be more convenient to add to ~/common.js than the calls to mw.loader.load() with gigantic URLs that we have to use now.

TheDJ removed a subscriber: wikibugs-l-list.

Found this crap myself trying to feed an interwiki prefix to importScript – see https://commons.wikimedia.org/wiki/File:Cross-site_importScript_resulted_in_HTTP_403.png

Documented it because deemed that something broke down, but now found on MediaWiki.org that it’s not a bug but a security feature. It would be nice to see some developers (of both core and the importScript wrapper) at last.