New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
prepend jsonp callbacks with a comment to prevent the rosetta-flash vulnerability #1766
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1011,7 +1011,7 @@ describe('Response', function () { | |
|
||
server.inject('/?callback=me', function (res) { | ||
|
||
expect(res.payload).to.equal('me({"some":"value"});'); | ||
expect(res.payload).to.equal('/**/me({"some":"value"});'); | ||
expect(res.headers['content-length']).to.equal(21); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. JSON-P responses should also get an See https://gist.github.com/mathiasbynens/5547352 for an example in PHP (LOLWAT, I know). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That header can be added by setting {
security: {
noSniff: true
}
} in your server options. Or with several other security related headers by just setting Just to remind people that this functionality does exist. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you think it would make sense to enable this header by default for JSON-P responses? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For a while I think @hueniverse was debating enabling all of the security headers by default. I'm not sure how he feels about this. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'll submit another PR and we can find out :] There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
done(); | ||
}); | ||
|
@@ -1060,7 +1060,7 @@ describe('Response', function () { | |
Zlib.unzip(new Buffer(res.payload, 'binary'), function (err, result) { | ||
|
||
expect(err).to.not.exist; | ||
expect(result.toString()).to.equal('docall({"first":"1","last":"2"});'); | ||
expect(result.toString()).to.equal('/**/docall({"first":"1","last":"2"});'); | ||
done(); | ||
}); | ||
}); | ||
|
@@ -1078,7 +1078,7 @@ describe('Response', function () { | |
|
||
server.inject('/?callback=me', function (res) { | ||
|
||
expect(res.payload).to.equal('me(value);'); | ||
expect(res.payload).to.equal('/**/me(value);'); | ||
expect(res.headers['content-length']).to.equal(10); | ||
done(); | ||
}); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+ 7