为什么谷歌prePEND,而(1);他们的JSON响应? [英] Why does Google prepend while(1); to their JSON responses?
问题描述
为什么谷歌prePEND ,而(1); 来他们(私人)JSON响应
Why does Google prepend while(1); to their (private) JSON responses?
例如,这里有一个回应,同时打开日历和关闭谷歌日历:
For example, here's a response while turning a calendar on and off in Google Calendar:
while(1);[['u',[['smsSentFlag','false'],['hideInvitations','false'],
['remindOnRespondedEventsOnly','true'],
['hideInvitations_remindOnRespondedEventsOnly','false_true'],
['Calendar ID stripped for privacy','false'],['smsVerifiedFlag','true']]]]
我会认为这是prevent人做一个的eval()就可以了,但所有你真的需要做的就是替换,而,然后你会设置。我将承担的eval prevention是确保人们编写安全的JSON解析code。
I would assume this is to prevent people from doing an eval() on it, but all you'd really have to do is replace the while and then you'd be set. I would assume the eval prevention is to make sure people write safe JSON parsing code.
我已经看到了这个用在其他几个地方,太,但很多更因此与谷歌(邮件,日历,联系人等),奇怪的是,的谷歌文档以&功放;&安培;&安培; START&安培;&安培;&安培; ,而是和谷歌联系似乎开始,而(1); &功放;&安培;&安培; START&安培;&安培;&安培;
I've seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, Google Docs starts with &&&START&&& instead, and Google Contacts seems to start with while(1); &&&START&&&.
这是怎么回事吗?
推荐答案
据prevents JSON劫持。
It prevents JSON hijacking.
人为的例子:说谷歌有一个像 mail.google.com/json?action=inbox 的URL返回JSON格式的收件箱中的第50条消息。在其他领域的邪恶网站不能让AJAX请求得到这个数据,由于同源策略,但可以包括通过&LT的URL;脚本> 标记。该URL访问具有的您的饼干,并通过覆盖全局数组构造函数或访问方法,他们可以有一个名为每当一个对象(数组或哈希)属性设置方法,使他们能够读取JSON内容。
Contrived example: say Google has a URL like mail.google.com/json?action=inbox which returns the first 50 messages of your inbox in JSON format. Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a <script> tag. The URL is visited with your cookies, and by overriding the global array constructor or accessor methods they can have a method called whenever an object (array or hash) attribute is set, allowing them to read the JSON content.
在,而(1); 或&功放;&安培;&安培; BLAH和放大器;&安培;&安培; prevents这样的:在 mail.google.com AJAX请求将拥有完全访问文本内容,并可以剥离出边线。但&LT;脚本&GT; 标记插入盲目执行JavaScript的未经过任何处理,导致无论是一个无限循环或语法错误
The while(1); or &&&BLAH&&& prevents this: an AJAX request at mail.google.com will have full access to the text content, and can strip it away. But a <script> tag insertion blindly executes the JavaScript without any processing, resulting in either an infinite loop or a syntax error.
这并没有解决跨站请求伪造问题。
This does not address the issue of cross-site request forgery.
这篇关于为什么谷歌prePEND,而(1);他们的JSON响应?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
