Redmine

1/ redmine ignores accept headers and jquery dataType attribute

The Accept request-header field can be used to specify certain media types which are acceptable for the response.

If no Accept header field is present, then it is assumed that the client accepts all media types. If an Accept header field is present, and if the server cannot send a response which is acceptable according to the combined Accept field value, then the server SHOULD send a 406 (not acceptable) response.

http://api.jquery.com/jQuery.ajax/

The type of data that you're expecting back from the server. If none is specified, jQuery will try to infer it based on the MIME type of the response (an XML MIME type will yield XML, in 1.4 JSON will yield a JavaScript object, in 1.4 script will execute the script, and anything else will be returned as a string). The available types (and the result passed as the first argument to your success callback)

examples:

curl -v -H http://demo.redmine.org/issues.json
-> 200 + json OK!

but
curl -v -H "Accept: application/json" http://demo.redmine.org/issues
-> 500 no builder for format

expected (with patch)
-> 200 + json output

in some cases html is returned even if json was requested

2/ 406 error raises exception

curl -v http://demo.redmine.org/issues.xxx
-> 406 + exception ActionController::UnknownFormat

expected (with patch)
-> 406 no exception

3/ csrf protection - useful to avoid exceptions because of site-scanner bots

curl -v -H "Accept: text/javascript" http://demo.redmine.org/issues/new
-> 422 + exception ActionController::InvalidCrossOriginRequest: Security warning: an embedded <script> tag on another site requested protected JavaScript.

expected
-> 400 - no exception