tag:blogger.com,1999:blog-865923359735383241.post5741500088475254446..comments2023-10-29T07:27:09.012-06:00Comments on Ccna final exam - java, php, javascript, ios, cshap all in one: Why does Google append while(1); in front of their JSON responses?Unknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-865923359735383241.post-55095963598302654132012-06-01T22:47:36.268-06:002012-06-01T22:47:36.268-06:00It prevents it from being used as the target of a ...It prevents it from being used as the target of a simple <script> tag. (Well, it doesn't prevent it, but it makes it unpleasant.) That way bad guys can't just put that script tag in their own site and rely on an active session to make it possible to fetch your content.Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-45636722611026487672012-06-01T22:47:35.407-06:002012-06-01T22:47:35.407-06:00That would be to make it difficult for a third-par...That would be to make it difficult for a third-party to insert the JSON response into an HTML document with the <script> tag. Remember that the <script> tag is exempt from the Same Origin Policy.<br /><br />There was a related Stack Overflow post a while ago:<br /><br /><br />Why have “while(1);” in XmlHttpRequest response?Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-51011262229033017992012-06-01T22:47:25.738-06:002012-06-01T22:47:25.738-06:00It prevents cross-site request forgery.
Contrived...It prevents cross-site request forgery.<br /><br />Contrived example: say Google has a URL like gmail.com/json?action=inbox which returns the first 50 messages of your inbox in JSON format. Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a <script> tag. The URL is visited with your cookies, and by overriding the global array constructor or accessor methods they can have a method called whenever an object (array or hash) attribute is set, allowing them to read the JSON content.<br /><br />The while(1); or &&&BLAH&&& prevents this: an AJAX request at gmail.com will have full access to the text content, and can strip it away. But a <script> tag insertion blindly executes the JavaScript without any processing, resulting in either an infinite loop or a syntax error.Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.com