为什么谷歌在前面加上 while(1);到他们的 JSON 响应? [英] Why does Google prepend while(1); to their JSON responses?
问题描述
为什么 Google 将 while(1);
添加到他们的(私有)JSON 响应中?
Why does Google prepend while(1);
to their (private) JSON responses?
例如,以下是在 Google 日历中打开和关闭日历时的响应:
For example, here's a response while turning a calendar on and off in Google Calendar:
while (1);
[
['u', [
['smsSentFlag', 'false'],
['hideInvitations', 'false'],
['remindOnRespondedEventsOnly', 'true'],
['hideInvitations_remindOnRespondedEventsOnly', 'false_true'],
['Calendar ID stripped for privacy', 'false'],
['smsVerifiedFlag', 'true']
]]
]
我认为这是为了防止人们对其执行 eval()
,但您真正需要做的就是替换 while
,然后您会被设置.我认为 eval 预防是为了确保人们编写安全的 JSON 解析代码.
I would assume this is to prevent people from doing an eval()
on it, but all you'd really have to do is replace the while
and then you'd be set. I would assume the eval prevention is to make sure people write safe JSON parsing code.
我在其他几个地方也看到过这种情况,但在 Google(邮件、日历、通讯录等)中使用的更多.奇怪的是,Google Docs 以 &&&START&&&
开头,而 Google 通讯录似乎以while(1);&&&START&&&
.
I've seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, Google Docs starts with &&&START&&&
instead, and Google Contacts seems to start with while(1); &&&START&&&
.
这是怎么回事?
推荐答案
它可以防止 JSON 劫持,一个主要的 JSON 安全问题,正式已修复在所有主要浏览器中自 2011 年起a> 使用 ECMAScript 5.
It prevents JSON hijacking, a major JSON security issue that is formally fixed in all major browsers since 2011 with ECMAScript 5.
人为示例:假设 Google 有一个类似于 mail.google.com/json?action=inbox
的 URL,它以 JSON 格式返回收件箱的前 50 封邮件.由于同源策略,其他域上的恶意网站无法通过 AJAX 请求获取此数据,但它们可以通过 标记包含 URL.使用您的 cookie 访问该 URL,并通过覆盖全局数组构造函数或访问器方法,只要设置了对象(数组或散列)属性,它们就可以调用一个方法,从而允许它们读取 JSON 内容.
Contrived example: say Google has a URL like mail.google.com/json?action=inbox
which returns the first 50 messages of your inbox in JSON format. Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a <script>
tag. The URL is visited with your cookies, and by overriding the global array constructor or accessor methods they can have a method called whenever an object (array or hash) attribute is set, allowing them to read the JSON content.
while(1);
或 &&&BLAH&&&
阻止了这种情况:mail.google 上的 AJAX 请求.com
将拥有对文本内容的完全访问权限,并且可以将其剥离.但是<script>
标签插入会盲目地执行JavaScript而不做任何处理,导致死循环或语法错误.
The while(1);
or &&&BLAH&&&
prevents this: an AJAX request at mail.google.com
will have full access to the text content, and can strip it away. But a <script>
tag insertion blindly executes the JavaScript without any processing, resulting in either an infinite loop or a syntax error.
这并没有解决跨站请求伪造的问题.
这篇关于为什么谷歌在前面加上 while(1);到他们的 JSON 响应?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!