問題:
Possible Duplicate:可能的重複:
Why does Google prepend while(1); 爲什麼谷歌在前面加上 while(1); to their JSON responses? 到他們的 JSON 響應?
Google returns json like this:谷歌返回這樣的json:
throw 1; <dont be evil> { foo: bar}
and Facebooks ajax has json like this:和 Facebook 的 ajax 有這樣的 json:
for(;;); {"error":0,"errorSummary": ""}
- Why do they put code that would stop execution and makes invalid json?他們爲什麼要放置會停止執行並生成無效 json 的代碼?
- How do they parse it if it's invalid and would crash if you tried to eval it?如果它無效,他們如何解析它並且如果您嘗試評估它會崩潰?
- Do they just remove it from the string (seems expensive)?他們只是從字符串中刪除它嗎(看起來很貴)?
- Are there any security advantages to this?這有什麼安全優勢嗎?
In response to it being for security purposes:響應它是出於安全目的:
If the scraper is on another domain they would have to use a script tag to get the data because XHR won't work cross-domain.如果抓取工具在另一個域上,他們將不得不使用script標籤來獲取數據,因爲 XHR 無法跨域工作。 Even without the for(;;);即使沒有for(;;); how would the attacker get the data?攻擊者如何獲取數據? It's not assigned to a variable so wouldn't it just be garbage collected because there's no references to it?它沒有分配給變量,所以它不會因爲沒有對它的引用而被垃圾收集嗎?
Basically to get the data cross domain they would have to do基本上要獲得跨域的數據,他們將不得不做
<script src="http://target.com/json.js"></script>
But even without the crash script prepended the attacker can't use any of the Json data without it being assigned to a variable that you can access globally (it isn't in these cases).但即使沒有崩潰腳本,攻擊者也無法使用任何 Json 數據,除非將其分配給您可以全局訪問的變量(在這些情況下不是這樣)。 The crash code effectivly does nothing because even without it they have to use server sided scripting to use the data on their site.崩潰代碼實際上什麼也沒做,因爲即使沒有它,他們也必須使用服務器端腳本來使用他們站點上的數據。
解決方案:
參考一: https://en.stackoom.com/question/DCco參考二: https://stackoom.com/question/DCco