问题:
Possible Duplicate:可能的重复:
Why does Google prepend while(1); 为什么谷歌在前面加上 while(1); to their JSON responses? 到他们的 JSON 响应?
Google returns json like this:谷歌返回这样的json:
throw 1; <dont be evil> { foo: bar}
and Facebooks ajax has json like this:和 Facebook 的 ajax 有这样的 json:
for(;;); {"error":0,"errorSummary": ""}
- Why do they put code that would stop execution and makes invalid json?他们为什么要放置会停止执行并生成无效 json 的代码?
- How do they parse it if it's invalid and would crash if you tried to eval it?如果它无效,他们如何解析它并且如果您尝试评估它会崩溃?
- Do they just remove it from the string (seems expensive)?他们只是从字符串中删除它吗(看起来很贵)?
- Are there any security advantages to this?这有什么安全优势吗?
In response to it being for security purposes:响应它是出于安全目的:
If the scraper is on another domain they would have to use a script tag to get the data because XHR won't work cross-domain.如果抓取工具在另一个域上,他们将不得不使用script标签来获取数据,因为 XHR 无法跨域工作。 Even without the for(;;);即使没有for(;;); how would the attacker get the data?攻击者如何获取数据? It's not assigned to a variable so wouldn't it just be garbage collected because there's no references to it?它没有分配给变量,所以它不会因为没有对它的引用而被垃圾收集吗?
Basically to get the data cross domain they would have to do基本上要获得跨域的数据,他们将不得不做
<script src="http://target.com/json.js"></script>
But even without the crash script prepended the attacker can't use any of the Json data without it being assigned to a variable that you can access globally (it isn't in these cases).但即使没有崩溃脚本,攻击者也无法使用任何 Json 数据,除非将其分配给您可以全局访问的变量(在这些情况下不是这样)。 The crash code effectivly does nothing because even without it they have to use server sided scripting to use the data on their site.崩溃代码实际上什么也没做,因为即使没有它,他们也必须使用服务器端脚本来使用他们站点上的数据。
解决方案:
参考一: https://en.stackoom.com/question/DCco参考二: https://stackoom.com/question/DCco