围绕JSON响应的注释块 [英] Comment blocks around JSON responses
问题描述
我注意到某些Web应用程序返回的AJAX响应带有嵌入在注释块中的JSON数据.例如,这将是一个示例响应:
I've noticed that some web applications return AJAX responses with JSON data embedded within a comment block. For example, this would be a sample response:
/*{
"firstName": "John",
"lastName": "Smith",
"address": {
"streetAddress": "21 2nd Street",
"city": "New York",
"state": "NY",
"postalCode": 10021
},
"phoneNumbers": [
"212 555-1234",
"646 555-4567"
]} */
将JSON数据嵌入注释块有什么好处?通过这样做可以避免某种安全漏洞吗?
What is the benefit of embedding the JSON data in a comment block? Is there some sort of security exploit which is avoided by doing this?
推荐答案
这样做是为了避免第三方站点使用<script>
标记劫持您的数据,并覆盖Object
构造函数以在构建数据时捕获数据.
It's done to avoid a third party site hijacking your data using a <script>
tag and overriding the Object
constructor to grab the data as it is built.
当JSON数据被注释包围时,它不再可以通过<script>
标记直接执行,从而更加安全".
When the JSON data is surrounded by comments, it no longer is directly executable via a <script>
tag, and thereby "more secure".
在 http://www.fortifysoftware.com/servlet/上查看PDF. downloads/public/JavaScript_Hijacking.pdf 以获得更多信息(带有示例)
See the PDF at http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for more information (with examples)
这篇关于围绕JSON响应的注释块的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!