feat: Set nosniff for JSONP responses (#38)

silvermine · Mar 22, 2019 · 9e86d2a · 9e86d2a
1 parent 13236f9
commit 9e86d2a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/src/Response.ts b/src/Response.ts
@@ -476,8 +476,16 @@ export default class Response {
             .replace(/\u2028/g, '\\u2028')
             .replace(/\u2029/g, '\\u2029');
 
+         // NOTE: The `/**/` is a security mitigation for "Rosetta Flash JSONP abuse", see
+         // silvermine/lambda-express#38. The `typeof` is to prevent errors on the client
+         // if the callback function doesn't exist, see expressjs/express#1773.
          this._body = `/**/ typeof ${callbackFunctionName} === 'function' && ${callbackFunctionName}(${stringified});`;
-         return this.type('text/javascript; charset=utf-8').end();
+
+         return this.type('text/javascript; charset=utf-8')
+            // `nosniff` is set to mitigate "Rosetta Flash JSONP abuse", see
+            // silvermine/lambda-express#38
+            .set('X-Content-Type-Options', 'nosniff')
+            .end();
       }
 
       return this.json(o);

diff --git a/tests/Response.test.ts b/tests/Response.test.ts
@@ -728,6 +728,8 @@ describe('Response', () => {
 
             if (expectsJsonpResponse) {
                output.multiValueHeaders['Content-Type'] = [ 'text/javascript; charset=utf-8' ];
+               // See silvermine/lambda-express#38
+               output.multiValueHeaders['X-Content-Type-Options'] = [ 'nosniff' ];
             } else {
                output.multiValueHeaders['Content-Type'] = [ 'application/json; charset=utf-8' ];
             }