@@ -39,17 +39,16 @@ private static String referer(HttpServletRequest request, HttpServletResponse re
3939 private static String emptyReferer (HttpServletRequest request , HttpServletResponse response ) {
4040 String referer = request .getHeader ("referer" );
4141 response .setHeader ("Access-Control-Allow-Origin" , "*" );
42- if (null == referer ) {
43- String callback = request .getParameter ("callback" );
44- return callback + "(" + info + ")" ;
45- } else {
46- Security sec = new Security ();
47- if (!sec .checkSafeUrl (referer , urlwhitelist )) {
48- return "Referer is not safe." ;
49- }
50- String callback = request .getParameter ("callback" );
51- return callback + "(" + info + ")" ;
42+ Security sec = new Security ();
43+
44+ // 如果referer不为空,并且referer不在安全域名白名单内,return error
45+ // 导致空referer就会绕过校验。开发同学为了方便测试,不太喜欢校验空Referer
46+ if (null != referer && !sec .checkSafeUrl (referer , urlwhitelist )) {
47+ return "error" ;
5248 }
49+
50+ String callback = request .getParameter ("callback" );
51+ return callback + "(" + info + ")" ;
5352 }
5453
5554 // http://localhost:8080/jsonp/sec?callback=test
@@ -60,9 +59,11 @@ private static String sec(HttpServletRequest request, HttpServletResponse respon
6059 response .setHeader ("Access-Control-Allow-Origin" , "*" );
6160 String referer = request .getHeader ("referer" );
6261 Security sec = new Security ();
62+
6363 if (!sec .checkSafeUrl (referer , urlwhitelist )) {
64- return "Referer is not safe. " ;
64+ return "error " ;
6565 }
66+
6667 String callback = request .getParameter ("callback" );
6768 return callback + "(" + info + ")" ;
6869 }
0 commit comments