xss_callback_arg
The `xss_callback_arg` directive specifies the name of the JavaScript callback function for JSONP responses in NGINX.
Description
The xss_callback_arg directive is used in conjunction with the xss_get directive to implement JSONP (JSON with Padding) functionality for cross-site AJAX requests. When enabled, it modifies the response format for GET requests by wrapping the response body within a JavaScript callback function. The name of this callback function is determined by the value provided to the xss_callback_arg directive.
For instance, if set to callback, and a request is made to a location with the parameter callback=process, the response body would be formatted as process(...);, where ... represents the original response data. This directive facilitates cross-domain exchanges of data in web applications, allowing scripts on different hosts to interact with each other securely.
To use this directive, place it within the appropriate context (http, server, location, or if in location) and specify the desired callback parameter name. If not defined, the directive defaults to none, meaning the default behavior will apply without the expected JSONP formatting, potentially leading to compatibility issues with client-side expectations for cross-domain requests.
Config Example
server {
location /foo {
xss_get on;
xss_callback_arg 'callback';
xss_input_types 'application/json';
xss_output_type 'application/x-javascript';
}
}Ensure that xss_get is enabled for the JSONP to work, as the callback will not be executed without it.
Using special characters in the callback name may lead to unexpected results; it's best to use alphanumeric characters only.
Always test responses from your application in multiple browsers to confirm that the JSONP is functioning correctly.