JSONP security fix (http://miki.it/blog/2014/7/8/abusing-jsonp-with-r…

…osetta-flash/)
ant0ine · May 11, 2015 · 22dc980 · 22dc980
1 parent 175cc31
commit 22dc980
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/rest/jsonp.go b/rest/jsonp.go
@@ -70,8 +70,10 @@ func (w *jsonpResponseWriter) WriteJson(v interface{}) error {
 	if err != nil {
 		return err
 	}
-	// TODO add "/**/" ?
-	w.Write([]byte(w.callbackName + "("))
+	// JSONP security fix (http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)
+	w.Header().Set("Content-Disposition", "filename=f.txt")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Write([]byte("/**/" + w.callbackName + "("))
 	w.Write(b)
 	w.Write([]byte(")"))
 	return nil

diff --git a/rest/jsonp_test.go b/rest/jsonp_test.go
@@ -1,8 +1,9 @@
 package rest
 
 import (
-	"github.com/ant0ine/go-json-rest/rest/test"
 	"testing"
+
+	"github.com/ant0ine/go-json-rest/rest/test"
 )
 
 func TestJsonpMiddleware(t *testing.T) {
@@ -33,10 +34,14 @@ func TestJsonpMiddleware(t *testing.T) {
 	recorded := test.RunRequest(t, handler, test.MakeSimpleRequest("GET", "http://localhost/ok?callback=parseResponse", nil))
 	recorded.CodeIs(200)
 	recorded.HeaderIs("Content-Type", "text/javascript")
-	recorded.BodyIs("parseResponse({\"Id\":\"123\"})")
+	recorded.HeaderIs("Content-Disposition", "filename=f.txt")
+	recorded.HeaderIs("X-Content-Type-Options", "nosniff")
+	recorded.BodyIs("/**/parseResponse({\"Id\":\"123\"})")
 
 	recorded = test.RunRequest(t, handler, test.MakeSimpleRequest("GET", "http://localhost/error?callback=parseResponse", nil))
 	recorded.CodeIs(500)
 	recorded.HeaderIs("Content-Type", "text/javascript")
-	recorded.BodyIs("parseResponse({\"Error\":\"jsonp error\"})")
+	recorded.HeaderIs("Content-Disposition", "filename=f.txt")
+	recorded.HeaderIs("X-Content-Type-Options", "nosniff")
+	recorded.BodyIs("/**/parseResponse({\"Error\":\"jsonp error\"})")
 }