Permalink
Browse files

JSONP security fix (http://miki.it/blog/2014/7/8/abusing-jsonp-with-r…

  • Loading branch information...
sebest committed May 11, 2015
1 parent 175cc31 commit 22dc9802d4cbe025a3a449d1a5d0bb9de92a5af5
Showing with 12 additions and 5 deletions.
  1. +4 −2 rest/jsonp.go
  2. +8 −3 rest/jsonp_test.go
View
@@ -70,8 +70,10 @@ func (w *jsonpResponseWriter) WriteJson(v interface{}) error {
if err != nil {
return err
}
// TODO add "/**/" ?
w.Write([]byte(w.callbackName + "("))
// JSONP security fix (http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)
w.Header().Set("Content-Disposition", "filename=f.txt")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Write([]byte("/**/" + w.callbackName + "("))
w.Write(b)
w.Write([]byte(")"))
return nil
View
@@ -1,8 +1,9 @@
package rest
import (
"github.com/ant0ine/go-json-rest/rest/test"
"testing"
"github.com/ant0ine/go-json-rest/rest/test"
)
func TestJsonpMiddleware(t *testing.T) {
@@ -33,10 +34,14 @@ func TestJsonpMiddleware(t *testing.T) {
recorded := test.RunRequest(t, handler, test.MakeSimpleRequest("GET", "http://localhost/ok?callback=parseResponse", nil))
recorded.CodeIs(200)
recorded.HeaderIs("Content-Type", "text/javascript")
recorded.BodyIs("parseResponse({\"Id\":\"123\"})")
recorded.HeaderIs("Content-Disposition", "filename=f.txt")
recorded.HeaderIs("X-Content-Type-Options", "nosniff")
recorded.BodyIs("/**/parseResponse({\"Id\":\"123\"})")
recorded = test.RunRequest(t, handler, test.MakeSimpleRequest("GET", "http://localhost/error?callback=parseResponse", nil))
recorded.CodeIs(500)
recorded.HeaderIs("Content-Type", "text/javascript")
recorded.BodyIs("parseResponse({\"Error\":\"jsonp error\"})")
recorded.HeaderIs("Content-Disposition", "filename=f.txt")
recorded.HeaderIs("X-Content-Type-Options", "nosniff")
recorded.BodyIs("/**/parseResponse({\"Error\":\"jsonp error\"})")
}

0 comments on commit 22dc980

Please sign in to comment.