-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No way to disable charset in Content-Type header? #3490
Comments
There isn't a way to disable because it was a security vulnerability reported against us (https://nodesecurity.io/advisories/8). |
So is this a feature of the Node HTTP package? |
Wow, hmm, that's very interesting. I'm quite sure that the spec for json states that it must be Unicode encoded, and the RFC state that you could identify the encoding by looking at the first bytes. ref: https://stackoverflow.com/a/14955491/148072 Since reading that I have always started to treat JSON more as a binary protocol, and stoped adding charsets. I would love to see an actual implementation of the hypothetical security hole! Guess I'll start always sending charset now then 😄 |
There are many resources out there that explain it and many libraries who have fixed it. Here is Laravel fixing it as well: laravel/framework#19967 |
Wow, super interesting reading: http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html |
I'm developing an API that will replace another API implemented in another language. Because the clients for this API are implemented badly, they don't accept content types other than "application/json" this means that "application/json; charset=utf-8" breaks them.
Currently, I've been trying to use this middleware before my routes to prevent the charset from being appended:
I usually end responses like this
res.status(404).json('Not found')
, but with the middleware I'm using, it doesn't seem to work. I've tried to look at the Express code, and from what I can tell, if I use the Express functionset()
,header()
ortype()
the charset automatically gets appended. So when I use the nativesetHeader()
function I thought that would work. When I use the native method, it doesn't seem like it should be overridden, because theres.json()
function checks if the header is already set before trying to set it, which also uses the nativegetHeader()
function.Is there any way I can get around this, without changing how reponses are sent or am I doing something wrong?
The text was updated successfully, but these errors were encountered: