)]}',\\ n"&QUOT之间的差异;和" {}&放大器;&安培;"避免JSON劫持 [英] Difference between ")]}',\n" and "{} &&" in avoiding json hijacking
问题描述
在阅读有关如何避免JSON劫持我遇到各种方法,包括张贴的一切或prepending反应所以它们不是有效的JavaScript。
In reading about how to avoid json hijacking I've come across various methods including POSTing everything or prepending responses so they are not valid JavaScript.
要prePEND最常见的方式似乎是将 {}&放大器;&安培; 在你的对象或数组的前面。 角度提出 prepending与)]}',\\ n 。
The most common way to prepend seems to be to add {} && in front of your object or array. Angular suggests prepending with )]}',\n.
为什么不棱角使用更标准的 {}&放大器;&安培; 办法?一个不完全安全的?一个更难以在JavaScript中使用?抛开棱角分明,有一个很好的理由采取冷门的方法呢?
Why does angular not use the more standard {} && approach? Is one not totally secure? Is one more difficult to use in JavaScript? Angular aside, is there a good reason for taking the less popular approach?
推荐答案
任何被解析为一个JavaScript对象或数组将prevent JSON劫持的这个方法。
Anything that stops the JSON response being parsed as a JavaScript object or array will prevent this method of JSON Hijacking.
请参阅这个帖子一些的方法,让你的JSON安全的。
不过,由于这个答案的状态,它是不是真的,因为Firefox 3中的一个问题。
However, as this answer states, it is not really an issue since Firefox 3.
谷歌使用这类攻击的不可解析[克鲁夫特]保卫自身。应该注意的是,这个漏洞已得到修复在Firefox 3中,并且此漏洞的浏览器如何刺穿了JSON规范出现了。
Google uses an "unparseable [cruft]" to defend its self against this type of attack. It should be noted that this vulnerability has been fixed in firefox 3, and this vulnerability arises from how browsers impalement the json specification.
在撰写谷歌似乎prePEND的时间)]} 从Gmail他们的回应。
At the time of writing Google appear to prepend )]}' to their responses from Gmail.
这篇关于)]}',\\ n"&QUOT之间的差异;和" {}&放大器;&安培;"避免JSON劫持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
