Directive Reference

xss_get

The `xss_get` directive enables support for JSONP (JSON with Padding) responses in NGINX for cross-site GET requests.

Native cross-site scripting support in NGINX · httpserverlocationif in location
Syntaxxss_get on | off;
Defaultoff
Contexthttp, server, location, if in location
Argumentsflag

Description

The xss_get directive plays a crucial role in enabling JSONP support within NGINX for cross-site AJAX requests. When set to 'on', this directive modifies the way data is returned from the server for GET requests, wrapping the response body with a specified JavaScript callback function. This approach is a workaround for the same-origin policy in web browsers, allowing scripts hosted on one domain to make requests to resources on another domain. Essentially, it allows a server to respond to AJAX calls from different origins by embedding the response into a JavaScript callable function rather than returning purely JSON data.

The directive is configurable in various contexts: http, server, location, and if inside a location block. When this directive is enabled, it allows clients to specify a callback function in their GET request using a query parameter. The server then utilizes the name provided in the callback argument to construct the response wrapping the original server response within a JavaScript function call. This enables web applications to circumvent restrictions imposed by browsers regarding cross-origin requests.

By default, the xss_get directive is 'off', meaning JSONP is not supported unless explicitly enabled. This directive should be used alongside other related directives, such as xss_callback_arg, which specifies the name of the function to call in the client-side code. Overall, enabling this directive enhances the interactivity of web applications needing cross-domain requests.

Config Example

server {
    location /foo {
        xss_get on;
        xss_callback_arg 'callback';
        xss_input_types 'application/json'; 
        xss_output_type 'application/x-javascript'; 
    }
}

Ensure that the corresponding xss_callback_arg directive is set to handle the desired callback parameter.

Cross-origin issues may still arise if not carefully configured on the client and server side.

Test thoroughly to confirm the JavaScript generated in response is correctly formatted. Believe it or not, improper callback names can cause JavaScript errors.

Related Directives

xss_callback_argxss_input_typesxss_output_typexss_check_statusxss_override_status
← Back to all directives