Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No way to disable charset in Content-Type header? #3490

Closed
tomasruud opened this issue Nov 29, 2017 · 5 comments
Closed

No way to disable charset in Content-Type header? #3490

tomasruud opened this issue Nov 29, 2017 · 5 comments
Assignees
@dougwilson
Labels
question

Comments

@tomasruud
Copy link

I'm developing an API that will replace another API implemented in another language. Because the clients for this API are implemented badly, they don't accept content types other than "application/json" this means that "application/json; charset=utf-8" breaks them.

Currently, I've been trying to use this middleware before my routes to prevent the charset from being appended:

app.use((req, res, next) => {
  res.setHeader('Content-Type', 'application/json');
  return next();
});

I usually end responses like this res.status(404).json('Not found'), but with the middleware I'm using, it doesn't seem to work. I've tried to look at the Express code, and from what I can tell, if I use the Express function set(), header() or type() the charset automatically gets appended. So when I use the native setHeader() function I thought that would work. When I use the native method, it doesn't seem like it should be overridden, because the res.json() function checks if the header is already set before trying to set it, which also uses the native getHeader() function.

Is there any way I can get around this, without changing how reponses are sent or am I doing something wrong?
@dougwilson
Copy link
Contributor

There isn't a way to disable because it was a security vulnerability reported against us (https://nodesecurity.io/advisories/8).

@tomasruud
Copy link
Author

So is this a feature of the Node HTTP package?

@LinusU
Copy link
Member

LinusU commented Nov 29, 2017

Wow, hmm, that's very interesting. I'm quite sure that the spec for json states that it must be Unicode encoded, and the RFC state that you could identify the encoding by looking at the first bytes.

ref: https://stackoverflow.com/a/14955491/148072

Since reading that I have always started to treat JSON more as a binary protocol, and stoped adding charsets. I would love to see an actual implementation of the hypothetical security hole!

Guess I'll start always sending charset now then 😄

@dougwilson
Copy link
Contributor

There are many resources out there that explain it and many libraries who have fixed it. Here is Laravel fixing it as well: laravel/framework#19967

@dougwilson dougwilson self-assigned this Nov 29, 2017
@LinusU
Copy link
Member

LinusU commented Nov 29, 2017

Wow, super interesting reading: http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html

@ssshake ssshake mentioned this issue Jan 12, 2021
Open
@knolleary knolleary mentioned this issue Jan 27, 2021
Open
1 task
@Relequestual Relequestual mentioned this issue Mar 1, 2021
Open
@lu4t lu4t mentioned this issue Jan 31, 2022
Closed
@MaddyUnderStars MaddyUnderStars mentioned this issue Jan 17, 2023
Closed
@expressjs expressjs deleted a comment from pulkitc May 6, 2023
@expressjs expressjs locked as resolved and limited conversation to collaborators May 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dougwilson dougwilson

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dougwilson @LinusU @tomasruud