Changes to raw page security handler:

Changes to raw page security handler:
* Use SCRIPT_URL instead of PHP_SELF if available. This fixes a problem with
some hosts using rewrite rules for subdomains and CGI PHP which breaks
PHP_SELF.
* Instead of redirecting to the canonical URL on a suspect, just return a
403 Forbidden error. This might annoy a small number of people manually
constructing incorrect action=raw URLs, but should be much less invasive
than an infinite redirect loop when there are configuration bugs.