http-xss-filter #
xss-nginx-module - Native cross-site scripting support in nginx
Source: upstream source
Directives
xss_callback_arg #
syntax: xss_callback_arg 1 arg (string); · context: http, server, location, location-if
Stores a single string value.
xss_check_status #
syntax: xss_check_status on | off (on/off flag); · context: http, server, location, location-if
Boolean directive — set to "on" or "off".
xss_get #
syntax: xss_get on | off; · context: http, server, location, location-if
Enables JSONP-style wrapping of GET request responses for cross-origin data retrieval.
xss_input_types #
syntax: xss_input_types 1+ args; · context: http, server, location, location-if
Specifies which MIME types are eligible for JSONP response wrapping.
xss_output_type #
syntax: xss_output_type 1+ args (string); · context: http, server, location, location-if
Stores a single string value.
xss_override_status #
syntax: xss_override_status on | off (on/off flag); · context: http, server, location, location-if
Boolean directive — set to "on" or "off".
Example
# accessing /foo?callback=process gives the response
# body "process(...);" (without quotes) where "..."
# is the original response body of the /foo location.
server {
location /foo {
# your content handler goes here...
xss_get on;
xss_callback_arg 'callback';
xss_input_types 'application/json'; # default
xss_output_type 'application/x-javascript'; # default
}
...
}