为什么谷歌在前面加上 while(1);到他们的 JSON 响应? [英] Why does Google prepend while(1); to their JSON responses?
问题描述
为什么 Google 将 while(1); 添加到他们的(私有)JSON 响应中?
Why does Google prepend while(1); to their (private) JSON responses?
例如,以下是在 Google 日历中打开和关闭日历时的响应:
For example, here's a response while turning a calendar on and off in Google Calendar:
while (1);
[
['u', [
['smsSentFlag', 'false'],
['hideInvitations', 'false'],
['remindOnRespondedEventsOnly', 'true'],
['hideInvitations_remindOnRespondedEventsOnly', 'false_true'],
['Calendar ID stripped for privacy', 'false'],
['smsVerifiedFlag', 'true']
]]
]
我认为这是为了防止人们对其执行 eval(),但您真正需要做的就是替换 while,然后您会被设置.我认为 eval 预防是为了确保人们编写安全的 JSON 解析代码.
I would assume this is to prevent people from doing an eval() on it, but all you'd really have to do is replace the while and then you'd be set. I would assume the eval prevention is to make sure people write safe JSON parsing code.
我在其他几个地方也看到过这种情况,但在 Google(邮件、日历、通讯录等)中使用的更多.奇怪的是,Google Docs 以 &&&START&&& 开头,而 Google 通讯录似乎以while(1);&&&START&&&.
I've seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, Google Docs starts with &&&START&&& instead, and Google Contacts seems to start with while(1); &&&START&&&.
这是怎么回事?
推荐答案
它可以防止 JSON 劫持,一个主要的 JSON 安全问题,正式已修复在所有主要浏览器中自 2011 年起a> 使用 ECMAScript 5.
It prevents JSON hijacking, a major JSON security issue that is formally fixed in all major browsers since 2011 with ECMAScript 5.
人为示例:假设 Google 有一个类似于 mail.google.com/json?action=inbox 的 URL,它以 JSON 格式返回收件箱的前 50 封邮件.由于同源策略,其他域上的恶意网站无法通过 AJAX 请求获取此数据,但它们可以通过
