Reported by Nicolas Grégoire.
We already set nosniff, so Chrome/Opera shouldn't be affected. But it probably makes sense to prepend our jsonp with /**/ like rails did https://github.com/rails/rails/pull/16109/files.
it seems that the "api.php" file included in MediaWiki is vulnerable to
a JSONP injection (CVE-2014-4671), which can be abused to bypass the
Same Origin Policy in Flash.
More details on the underlying bug:
Proofs of concept:
As far as I know, several people are already aware of this MediaWiki