Why does Google prepend while(1); to their JSON responses?

后端未结

关注

 7  1798

一整个雨季 2020-11-22 06:43

Why does Google prepend while(1); to their (private) JSON responses?

For example, here\'s a response while turning a calendar on and off in Google Calen

7条回答

暗喜 (楼主)

2020-11-22 07:15

It prevents JSON hijacking, a major JSON security issue that is formally fixed in all major browsers since 2011 with ECMAScript 5.

Contrived example: say Google has a URL like mail.google.com/json?action=inbox which returns the first 50 messages of your inbox in JSON format. Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a