Permalink
Browse files

JSONP security fix (http://miki.it/blog/2014/7/8/abusing-jsonp-with-r…

  • Loading branch information...
1 parent 175cc31 commit 22dc9802d4cbe025a3a449d1a5d0bb9de92a5af5 @sebest sebest committed May 11, 2015
Showing with 12 additions and 5 deletions.
  1. +4 −2 rest/jsonp.go
  2. +8 −3 rest/jsonp_test.go
View
@@ -70,8 +70,10 @@ func (w *jsonpResponseWriter) WriteJson(v interface{}) error {
if err != nil {
return err
}
- // TODO add "/**/" ?
- w.Write([]byte(w.callbackName + "("))
+ // JSONP security fix (http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)
+ w.Header().Set("Content-Disposition", "filename=f.txt")
+ w.Header().Set("X-Content-Type-Options", "nosniff")
+ w.Write([]byte("/**/" + w.callbackName + "("))
w.Write(b)
w.Write([]byte(")"))
return nil
View
@@ -1,8 +1,9 @@
package rest
import (
- "github.com/ant0ine/go-json-rest/rest/test"
"testing"
+
+ "github.com/ant0ine/go-json-rest/rest/test"
)
func TestJsonpMiddleware(t *testing.T) {
@@ -33,10 +34,14 @@ func TestJsonpMiddleware(t *testing.T) {
recorded := test.RunRequest(t, handler, test.MakeSimpleRequest("GET", "http://localhost/ok?callback=parseResponse", nil))
recorded.CodeIs(200)
recorded.HeaderIs("Content-Type", "text/javascript")
- recorded.BodyIs("parseResponse({\"Id\":\"123\"})")
+ recorded.HeaderIs("Content-Disposition", "filename=f.txt")
+ recorded.HeaderIs("X-Content-Type-Options", "nosniff")
+ recorded.BodyIs("/**/parseResponse({\"Id\":\"123\"})")
recorded = test.RunRequest(t, handler, test.MakeSimpleRequest("GET", "http://localhost/error?callback=parseResponse", nil))
recorded.CodeIs(500)
recorded.HeaderIs("Content-Type", "text/javascript")
- recorded.BodyIs("parseResponse({\"Error\":\"jsonp error\"})")
+ recorded.HeaderIs("Content-Disposition", "filename=f.txt")
+ recorded.HeaderIs("X-Content-Type-Options", "nosniff")
+ recorded.BodyIs("/**/parseResponse({\"Error\":\"jsonp error\"})")
}

0 comments on commit 22dc980

Please sign in to comment.