rack-jsonp-middleware 0.0.6 → 0.0.7
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +12 -8
- data/lib/rack/jsonp.rb +27 -7
- metadata +3 -2
data/README.md
CHANGED
|
@@ -1,14 +1,10 @@
|
|
|
1
1
|
# rack-jsonp-middleware -  - 
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Rack middleware that turns all .jsonp requests into a jsonp response.
|
|
4
4
|
|
|
5
5
|
## Overview
|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
The main difference with the rest of them is that this one will add JSONP support to any of your JSON calls but only when the extension name '.jsonp' is present.
|
|
10
|
-
|
|
11
|
-
Since 'callback' is a really generic parameter name if someone wants to get a JSONP response they must request it explicitly.
|
|
7
|
+
(does not support 'callback' since it is a really generic parameter name)
|
|
12
8
|
|
|
13
9
|
Btw, don't forget to give a try to [J50Nπ](https://github.com/robertodecurnex/J50Npi) (a pure JS JSONP helper), they make a lovely couple together :P
|
|
14
10
|
|
|
@@ -18,8 +14,10 @@ Roberto Decurnex (nex.development@gmail.com)
|
|
|
18
14
|
|
|
19
15
|
## Contributors
|
|
20
16
|
|
|
21
|
-
* [rwilcox](https://github.com/rwilcox "rwilcox profile")
|
|
22
|
-
* [amiel](https://github.com/amiel "amiel profile")
|
|
17
|
+
* Ryan Wilcox ([rwilcox](https://github.com/rwilcox "rwilcox profile"))
|
|
18
|
+
* Amiel Martin ([amiel](https://github.com/amiel "amiel profile"))
|
|
19
|
+
* Michael Grosser ([grosser](https://github.com/grosser "grosser profile"))
|
|
20
|
+
* Matt Sanford ([mzsanford](https://github.com/mzsanford "mzsanford profile"))
|
|
23
21
|
|
|
24
22
|
## Install
|
|
25
23
|
|
|
@@ -79,3 +77,9 @@ But http://domain.com/action.json?callback=J50Npi.sucess will still returns the
|
|
|
79
77
|
{"key":"value"}
|
|
80
78
|
With the following Content-Type:
|
|
81
79
|
application/json
|
|
80
|
+
|
|
81
|
+
# Security
|
|
82
|
+
|
|
83
|
+
Supporting jsonp means that another websites can access your website on behalf of a user visiting their site,
|
|
84
|
+
which might lead to security problems (e.g. they read http://yoursite.com/user.jsonp and get the users email etc),
|
|
85
|
+
so think about if you want to turn it on globally.
|
data/lib/rack/jsonp.rb
CHANGED
|
@@ -11,7 +11,7 @@ module Rack
|
|
|
11
11
|
requesting_jsonp = Pathname(request.env['PATH_INFO']).extname =~ /^\.jsonp$/i
|
|
12
12
|
callback = request.params['callback']
|
|
13
13
|
|
|
14
|
-
return [400,{},[]] if requesting_jsonp && !callback
|
|
14
|
+
return [400,{},[]] if requesting_jsonp && !self.valid_callback?(callback)
|
|
15
15
|
|
|
16
16
|
if requesting_jsonp
|
|
17
17
|
env['PATH_INFO'].sub!(/\.jsonp/i, '.json')
|
|
@@ -20,21 +20,41 @@ module Rack
|
|
|
20
20
|
|
|
21
21
|
status, headers, body = @app.call(env)
|
|
22
22
|
|
|
23
|
-
if requesting_jsonp && headers['Content-Type']
|
|
23
|
+
if requesting_jsonp && self.json_response?(headers['Content-Type'])
|
|
24
24
|
json = ""
|
|
25
25
|
body.each { |s| json << s }
|
|
26
26
|
body = ["#{callback}(#{json});"]
|
|
27
27
|
headers['Content-Length'] = Rack::Utils.bytesize(body[0]).to_s
|
|
28
|
-
headers['Content-Type']
|
|
28
|
+
headers['Content-Type'].sub!(/^[^;]+(;?)/, "#{MIME_TYPE}\\1")
|
|
29
29
|
end
|
|
30
30
|
|
|
31
31
|
[status, headers, body]
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
34
|
+
protected
|
|
35
|
+
|
|
36
|
+
# Do not allow arbitrary Javascript in the callback.
|
|
37
|
+
#
|
|
38
|
+
# @return [Regexp]
|
|
39
|
+
VALID_CALLBACK_PATTERN = /^[a-zA-Z0-9\._]+$/
|
|
40
|
+
|
|
41
|
+
# @return [String] the JSONP response mime type.
|
|
42
|
+
MIME_TYPE = 'application/javascript'
|
|
43
|
+
|
|
44
|
+
# Checks if the callback function name is safe/valid.
|
|
45
|
+
#
|
|
46
|
+
# @param [String] callback the string to be used as the JSONP callback function name.
|
|
47
|
+
# @return [TrueClass|FalseClass]
|
|
48
|
+
def valid_callback?(callback)
|
|
49
|
+
!callback.nil? && !callback.match(VALID_CALLBACK_PATTERN).nil?
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
# Check if the response Content Type is JSON.
|
|
53
|
+
#
|
|
54
|
+
# @param [Hash] content_type the response Content Type
|
|
55
|
+
# @return [TrueClass|FalseClass]
|
|
56
|
+
def json_response?(content_type)
|
|
57
|
+
!content_type.nil? && !content_type.match(/^application\/json/i).nil?
|
|
38
58
|
end
|
|
39
59
|
|
|
40
60
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-jsonp-middleware
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.7
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2012-
|
|
12
|
+
date: 2012-09-12 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rack
|
|
@@ -92,3 +92,4 @@ signing_key:
|
|
|
92
92
|
specification_version: 3
|
|
93
93
|
summary: rack-jsonp-middleware-0.0.5
|
|
94
94
|
test_files: []
|
|
95
|
+
has_rdoc:
|