ngx_xss: Native support for cross-site scripting in an nginx

agentzh agentzh at
Fri Jan 29 10:53:29 MSK 2010

On Fri, Jan 29, 2010 at 5:11 AM, Tobia Conforto
<tobia.conforto at> wrote:
> Am I the only one wondering what's the use of this module?

The initial motivation of writing this module is to build a
full-fledged blog app that is powered completely by nginx.conf and
client-side JavaScript. I already have something runnable now. Here's
the nginx.conf that I've got so far if you're interested:

> It seems to just add a string and a pair of parentheses around the response.
> Can't you do that on the backend,

In the demo app mentioned above, the only backend is the mysql
database. Are you sure you want mysqld to do this?

Also, even if you have a real backend app running an upstream, then
you still have a chance to do this in C, also in a streaming fashion

(Just as I mentioned in another thread here, we often have to handle
tens of millions of requests per day on 1 or 2 machines, so
eliminating unnecessary cost is very important.)

> assuming you have some sort of backend?

Not really in your definition of "backend" ;)

> Or on the client side, if the response is to be parsed by some client-side javascript?

This is the classic cross-site GET trick for JavaScript programmers.

> I don't mean to belittle your effort, I'm just curious!

Well, it's understandable :)


More information about the nginx mailing list