diff --git a/packages/cross-domain/src/jsonp.ts b/packages/cross-domain/src/jsonp.ts index 85a0c958f652..5c5406d36a2d 100644 --- a/packages/cross-domain/src/jsonp.ts +++ b/packages/cross-domain/src/jsonp.ts @@ -12,31 +12,28 @@ export class JSONPService { res; jsonp(body: any, config?: JSONPOptions) { - const { callback, limit } = Object.assign({}, this.jsonpConfig, config); - const name = this.ctx.query[callback] || this.ctx.query['callback']; - if (name) { - this.ctx.type = 'js'; - // https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options - if (this.ctx.set) { - this.ctx.set('x-content-type-options', 'nosniff'); - } else if (this.res.set) { - this.res.set('x-content-type-options', 'nosniff'); - } + this.ctx.type = 'js'; + // https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options + if (this.ctx.set) { + this.ctx.set('x-content-type-options', 'nosniff'); + } else if (this.res.set) { + this.res.set('x-content-type-options', 'nosniff'); + } - // Only allow "[","]","a-zA-Z0123456789_", "$" and "." characters. - let cb = (this.ctx.query[callback] || 'callback').replace( - /[^[\]\w$.]+/g, - '' - ); + const { callback, limit } = Object.assign({}, this.jsonpConfig, config); - if (cb.length > limit) { - cb = cb.substring(0, limit); - } + // Only allow "[","]","a-zA-Z0123456789_", "$" and "." characters. + let cb = (this.ctx.query[callback] || 'callback').replace( + /[^[\]\w$.]+/g, + '' + ); - const str = JSON.stringify(body === undefined ? null : body); - // protect from jsonp xss - return `/**/ typeof ${cb} === 'function' && ${cb}(${str});`; + if (cb.length > limit) { + cb = cb.substring(0, limit); } - return body; + + const str = JSON.stringify(body === undefined ? null : body); + // protect from jsonp xss + return `/**/ typeof ${cb} === 'function' && ${cb}(${str});`; } } diff --git a/packages/cross-domain/test/express.test.ts b/packages/cross-domain/test/express.test.ts index 54294f8986b9..8443f39a62ad 100644 --- a/packages/cross-domain/test/express.test.ts +++ b/packages/cross-domain/test/express.test.ts @@ -42,7 +42,7 @@ describe('test/express.test.ts', function () { .expect(res => { assert(!res.headers['access-control-allow-origin']); }) - .expect(200); + .expect(200) }); it('jsonp callback', async () => { @@ -51,11 +51,6 @@ describe('test/express.test.ts', function () { .post('/jsonp?callback=fn') .expect(200) .expect('x-content-type-options', 'nosniff') - .expect(`/**/ typeof callback === 'function' && callback({"test":123});`); - }); - - it('jsonp callback ignore', async () => { - const request = await createHttpRequest(app); - await request.post('/jsonp').expect(200).expect({ test: 123 }); + .expect(`/**/ typeof callback === 'function' && callback({"test":123});`) }); }); diff --git a/packages/cross-domain/test/koa.test.ts b/packages/cross-domain/test/koa.test.ts index 9db5d984d1d3..0c5626106073 100644 --- a/packages/cross-domain/test/koa.test.ts +++ b/packages/cross-domain/test/koa.test.ts @@ -8,7 +8,7 @@ describe('test/koa.test.ts', function () { try { app = await createApp(appDir); } catch (e) { - console.log('e', e); + console.log("e", e); } }); @@ -49,17 +49,14 @@ describe('test/koa.test.ts', function () { .expect(200); }); + it('jsonp callback', async () => { const request = await createHttpRequest(app); await request .post('/jsonp?callback=fn') .expect(200) .expect('x-content-type-options', 'nosniff') - .expect(`/**/ typeof callback === 'function' && callback({"test":123});`); - }); + .expect(`/**/ typeof callback === 'function' && callback({"test":123});`) - it('jsonp callback ignore', async () => { - const request = await createHttpRequest(app); - await request.post('/jsonp').expect(200).expect({ test: 123 }); }); });