围绕JSON响应的注释块 [英] Comment blocks around JSON responses

问题描述

我注意到某些Web应用程序返回的AJAX响应带有嵌入在注释块中的JSON数据.例如，这将是一个示例响应:

I've noticed that some web applications return AJAX responses with JSON data embedded within a comment block. For example, this would be a sample response:

/*{
 "firstName": "John",
 "lastName": "Smith",
 "address": {
     "streetAddress": "21 2nd Street",
     "city": "New York",
     "state": "NY",
     "postalCode": 10021
 },
 "phoneNumbers": [
     "212 555-1234",
     "646 555-4567"
 ]} */

将JSON数据嵌入注释块有什么好处?通过这样做可以避免某种安全漏洞吗?

What is the benefit of embedding the JSON data in a comment block? Is there some sort of security exploit which is avoided by doing this?

推荐答案

这样做是为了避免第三方站点使用<script>标记劫持您的数据，并覆盖Object构造函数以在构建数据时捕获数据.

It's done to avoid a third party site hijacking your data using a <script> tag and overriding the Object constructor to grab the data as it is built.

当JSON数据被注释包围时，它不再可以通过<script>标记直接执行，从而更加安全".

When the JSON data is surrounded by comments, it no longer is directly executable via a <script> tag, and thereby "more secure".

在 http://www.fortifysoftware.com/servlet/上查看PDF. downloads/public/JavaScript_Hijacking.pdf 以获得更多信息(带有示例)

See the PDF at http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for more information (with examples)

这篇关于围绕JSON响应的注释块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！