1

I am testing a Web Application and i have found a endpoint which is returning some data in json the endpoint is this.

/api/vtexid/pub/authenticated/user

Now i was testing to find out that if this endpoint supports JSONP by appending a query parameter of ?callback=obj

   /api/vtexid/pub/authenticated/user?callback=obj

When i open this url a file was downloaded and it looked something like this.

obj({
  "userId": "123",
  "user": "abc@gmail.com",
  "userType": "F"
})

Now when i tried to load the endpoint in a <script> tag to extract the data.

<html>

<script>
function obj(d) {console.log(d)}
</script>

<script src="https://www.example.com/api/vtexid/pub/authenticated/user?callback=obj" type="application/jsonp"></script>

</html>

I ended up getting an error in the console that

Refused to execute script from 'https://www.example.com/api/vtexid/pub/authenticated/user?callback=obj' because its MIME type ('application/jsonp') is not executable, and strict MIME type checking is enabled.

And looking into the Request Headers the Content-Type is set to application/jsonp

So is there any workaround for this to get the data.

Osama Xäwãñz
  • 111
  • 1
  • You should research that error message and what browsers/versions it is relevant to. – Conor Mancone Jan 13 '20 at 16:07
  • i have researched it and found that the x-content-type-options nosniff is restricting the Content-Type to change from application/jsonp to application/javascript or something else. – Osama Xäwãñz Jan 13 '20 at 16:08
  • browsers didn't used to check the script's mime, that 's news to me, but regardless, how do you break out of the JSON to execute code instead of just load some harmless arbitrary data? HTML provides a lot of contexts for mishaps, JSON doesn't. – dandavis Jan 13 '20 at 20:20

0 Answers0