xss_output_type
The `xss_output_type` directive specifies the MIME type for JSONP responses in NGINX.
Description
The xss_output_type directive in the Native XSS module of NGINX is used to set the MIME type for the output of responses when JSONP (JSON with Padding) is enabled. This directive allows developers to define the content type that will be used when delivering JavaScript responses to cross-origin requests. When a client makes a cross-origin GET request with the xss_get directive enabled, the output type specified by xss_output_type will be applied to the response, allowing it to be properly interpreted by client-side JavaScript.
Users can specify one or more MIME types as arguments to this directive, which lets NGINX serve different types of responses depending on the request context. The application/x-javascript type is a common default, but developers can choose other types like application/json or custom types to suit their needs. This flexibility facilitates better handling of various cross-domain AJAX scenarios where content detection is essential.
It is important to ensure that the specified MIME type aligns with the expected content being served to avoid issues with client-side execution. Incorrect MIME types might result in the inability of the browser to execute scripts correctly, leading to functionality failures in web applications that rely on JSONP for cross-domain requests.
Config Example
server {
location /foo {
xss_get on;
xss_output_type 'application/x-javascript';
# other configurations...
}
}Ensure that the specified MIME type matches the content being served to prevent improper handling by clients.
Using multiple MIME types requires careful consideration of response handling logic to avoid conflicts.
Always set the xss_get directive to on if you plan to use xss_output_type for JSONP responses.