Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSONP requests to service/reasonBreakdown.json fails #19

Open
temi opened this issue Nov 4, 2019 · 6 comments
Open

JSONP requests to service/reasonBreakdown.json fails #19

temi opened this issue Nov 4, 2019 · 6 comments
Assignees
@Rita-C
Labels
bug IAD priority-medium security

Comments

@temi
Copy link

temi commented Nov 4, 2019
edited
Loading

Some endpoints on logger like service/reasonBreakdown.json return with response header Content-Type set to application/json. This happens even for JSONP requests. Browsers are smart to change to the correct Content-Type, application/javascript. However, for security reasons, server can disable auto content-type conversion by setting X-Content-Type-Options header to nosniff. Such requests are rejected by browser. At present, collectory makes the JSONP request to show statistics. This could fail and show no stats. There are a few ways to fix this issue -

  1. Configure the server to not send X-Content-Type-Options header.
  2. Making sure appropriate content-type is sent for JSONP requests.
  3. Enable CORS and remove JSONP requests from applications.
@ansell
Copy link
Contributor

ansell commented Nov 4, 2019

Removing X-Content-Type-Options: nosniff is only a temporary workaround, not a fix. Either Option 2 or Option 3 should be implemented before closing this issue.

@ansell ansell added the security label Nov 4, 2019
@matildastevenson matildastevenson mentioned this issue Nov 22, 2019
Open
@nickdos
Copy link
Contributor

nickdos commented Jun 2, 2021
edited
Loading

Collections-test is not showing usage stats when pointing to logger-test. I can see the request for a JSONP callback is not being wrapped in the JS method, as expected - its returning normal JSON.

Need to check if the JSONP is being done at app or Nginx level.

EDIT: app previously used the jsonp:0.2 plugin but not in newer Grails 3 version. Therefore need to implement this as a filter/interceptor.

@nickdos
Copy link
Contributor

nickdos commented Jul 15, 2021

@Rita-C I think can be done easily with a Grails interceptor. Here's an example with an old-style Filter:

https://github.com/AtlasOfLivingAustralia/dashboard/blob/master/grails-app/conf/au/org/ala/dashboard/JSONPFilters.groovy

Rita-C added a commit that referenced this issue Jul 20, 2021
@Rita-C
#19 Enabled CORS
46a9c45
@Rita-C Rita-C mentioned this issue Jul 20, 2021
Closed
@Rita-C
Copy link
Contributor

Rita-C commented Jul 20, 2021
edited
Loading

Collections-test is not showing usage stats when pointing to logger-test. I can see the request for a JSONP callback is not being wrapped in the JS method, as expected - its returning normal JSON.

Collectory updated, refer to AtlasOfLivingAustralia/collectory-plugin#184

Enabled CORS in logger-service

@nickdos
Copy link
Contributor

nickdos commented Jul 29, 2021

Code all good.

@nickdos
Copy link
Contributor

nickdos commented Aug 4, 2021

Looks good in test, tried 6 different endpoints and all showed expected headers - see screenshot:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rita-C Rita-C

Labels
bug IAD priority-medium security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ansell @nickdos @temi @Rita-C