Check start of the response instead of MIME type to determine exploitable JSONP callback

[kapytein]

Currently, the plugin only checks whether the request responds with application/javascript after appending parameters and/or changing the extension of the URL. However, there could be cases where the JSONP endpoint responds with a different content type (for some reason).

If no header is present that prevents content sniffing (X-Content-Type-Options: nosniff), you could either use it to leak data cross-origin, or use it for a CSP bypass.

A suggested solution by @avlidienbrunn was to check the start of the response instead.