diff --git a/packages/cross-domain/src/jsonp.ts b/packages/cross-domain/src/jsonp.ts index 5c5406d36a2d..85a0c958f652 100644 --- a/packages/cross-domain/src/jsonp.ts +++ b/packages/cross-domain/src/jsonp.ts @@ -12,28 +12,31 @@ export class JSONPService { res; jsonp(body: any, config?: JSONPOptions) { - this.ctx.type = 'js'; - // https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options - if (this.ctx.set) { - this.ctx.set('x-content-type-options', 'nosniff'); - } else if (this.res.set) { - this.res.set('x-content-type-options', 'nosniff'); - } - const { callback, limit } = Object.assign({}, this.jsonpConfig, config); + const name = this.ctx.query[callback] || this.ctx.query['callback']; + if (name) { + this.ctx.type = 'js'; + // https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options + if (this.ctx.set) { + this.ctx.set('x-content-type-options', 'nosniff'); + } else if (this.res.set) { + this.res.set('x-content-type-options', 'nosniff'); + } - // Only allow "[","]","a-zA-Z0123456789_", "$" and "." characters. - let cb = (this.ctx.query[callback] || 'callback').replace( - /[^[\]\w$.]+/g, - '' - ); + // Only allow "[","]","a-zA-Z0123456789_", "$" and "." characters. + let cb = (this.ctx.query[callback] || 'callback').replace( + /[^[\]\w$.]+/g, + '' + ); - if (cb.length > limit) { - cb = cb.substring(0, limit); - } + if (cb.length > limit) { + cb = cb.substring(0, limit); + } - const str = JSON.stringify(body === undefined ? null : body); - // protect from jsonp xss - return `/**/ typeof ${cb} === 'function' && ${cb}(${str});`; + const str = JSON.stringify(body === undefined ? null : body); + // protect from jsonp xss + return `/**/ typeof ${cb} === 'function' && ${cb}(${str});`; + } + return body; } } diff --git a/packages/cross-domain/test/express.test.ts b/packages/cross-domain/test/express.test.ts index 8443f39a62ad..54294f8986b9 100644 --- a/packages/cross-domain/test/express.test.ts +++ b/packages/cross-domain/test/express.test.ts @@ -42,7 +42,7 @@ describe('test/express.test.ts', function () { .expect(res => { assert(!res.headers['access-control-allow-origin']); }) - .expect(200) + .expect(200); }); it('jsonp callback', async () => { @@ -51,6 +51,11 @@ describe('test/express.test.ts', function () { .post('/jsonp?callback=fn') .expect(200) .expect('x-content-type-options', 'nosniff') - .expect(`/**/ typeof callback === 'function' && callback({"test":123});`) + .expect(`/**/ typeof callback === 'function' && callback({"test":123});`); + }); + + it('jsonp callback ignore', async () => { + const request = await createHttpRequest(app); + await request.post('/jsonp').expect(200).expect({ test: 123 }); }); }); diff --git a/packages/cross-domain/test/koa.test.ts b/packages/cross-domain/test/koa.test.ts index 0c5626106073..9db5d984d1d3 100644 --- a/packages/cross-domain/test/koa.test.ts +++ b/packages/cross-domain/test/koa.test.ts @@ -8,7 +8,7 @@ describe('test/koa.test.ts', function () { try { app = await createApp(appDir); } catch (e) { - console.log("e", e); + console.log('e', e); } }); @@ -49,14 +49,17 @@ describe('test/koa.test.ts', function () { .expect(200); }); - it('jsonp callback', async () => { const request = await createHttpRequest(app); await request .post('/jsonp?callback=fn') .expect(200) .expect('x-content-type-options', 'nosniff') - .expect(`/**/ typeof callback === 'function' && callback({"test":123});`) + .expect(`/**/ typeof callback === 'function' && callback({"test":123});`); + }); + it('jsonp callback ignore', async () => { + const request = await createHttpRequest(app); + await request.post('/jsonp').expect(200).expect({ test: 123 }); }); });