0

So I have a small widget that is running on a lot of third party websites with no issues. However on one of the sites it is unable to make any JSONP requests to get more data. It is using the $http service from angularjs 1.2.x to make the request and when I look at the request I am seeing a status code of 0 and looking at the Chrome Network tab I don't see any network traffic as a result of the JSONP request so it seems that perhaps a setting on the site is disabling the JSONP request. Below are the headers for the site. Would any of these disable JSONP?

Request Method: GET
    Status Code: 200 
    Referrer Policy: no-referrer-when-downgrade
    age: 67
    cache-control: max-age=180
    content-encoding: gzip
    content-length: 31663
    content-security-policy: upgrade-insecure-requests;
    content-type: text/html;charset=UTF-8
    date: Tue, 09 Apr 2019 21:05:47 GMT
    server: Apache-Coyote/1.1
    status: 200
    vary: Accept-Encoding
    x-amz-cf-id: _2wi32jNFBQKDwJO9eZroHcZrY74J56d-guSmRCCf6aoCpLDuD4Vzg==
    x-cache: Hit from cloudfront
    x-powered-by: Brightspot
    :authority: www.somesite.com
    :method: GET
    :path: /entertainment/things/stuff.html
    :scheme: https
    accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
    accept-encoding: gzip, deflate, br
    accept-language: en-US,en;q=0.9
    cache-control: no-cache
    pragma: no-cache
    upgrade-insecure-requests: 1
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.

36

runxc1 Bret Ferrier
  • 8,096
  • 14
  • 61
  • 100
  • 1
    Is the *content* (the response body) a valid script? That's what matters more. Given the `content-type: text/html`, the answer is probably no. – Bergi Apr 09 '19 at 21:55
  • Can't arbitrarily use jsonp if endpoint doesn't serve jsonp. They are a script request. – charlietfl Apr 10 '19 at 00:19
  • @Bergi not quite sure what you are saying. Are to what the the accept: header is willing to accept and that text/javascript isn't one of the things that it will accept? – runxc1 Bret Ferrier Apr 10 '19 at 15:35
  • @charlietfl as mentioned the same script is working on a 100 other sites or more so yes the endpoint is configured for jsonp as this is working on multiple sites just not this one. – runxc1 Bret Ferrier Apr 10 '19 at 15:37
  • @runxc1BretFerrier I'm talking about the response header, not the request header (unfortunately you have not separated them clearly). `text/html` is the wrong content type for a JSONP script. Fix the server. – Bergi Apr 10 '19 at 18:31
  • @runxc1BretFerrier Maybe you are seeing [this message](https://stackoverflow.com/q/3467404/1048572) in the case where it "works"? – Bergi Apr 10 '19 at 18:35
  • Wait, are these the headers of the JSONP request, or the headers of the request for the HTML page that uses the JSONP script? Please post a complete example. – Bergi Apr 10 '19 at 18:41
  • @runxc1BretFerrier See also https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/ or https://textslashplain.com/2018/01/08/content-types-matter-more-than-you-think/ – Bergi Apr 10 '19 at 18:42

0 Answers0