为什么 Google 在前面加上 while(1);到他们的 JSON 响应?

2022-01-31 00:00:00 json security javascript ajax

为什么 Google 在他们的(私有)JSON 响应中添加 while(1);?

Why does Google prepend while(1); to their (private) JSON responses?

例如,以下是在 Google 日历 中打开和关闭日历时的响应:

For example, here's a response while turning a calendar on and off in Google Calendar:

while (1);
[
  ['u', [
    ['smsSentFlag', 'false'],
    ['hideInvitations', 'false'],
    ['remindOnRespondedEventsOnly', 'true'],
    ['hideInvitations_remindOnRespondedEventsOnly', 'false_true'],
    ['Calendar ID stripped for privacy', 'false'],
    ['smsVerifiedFlag', 'true']
  ]]
]

我认为这是为了防止人们对其执行 eval(),但您真正需要做的就是替换 while 然后您会被设置的.我认为 eval 预防是确保人们编写安全的 JSON 解析代码.

I would assume this is to prevent people from doing an eval() on it, but all you'd really have to do is replace the while and then you'd be set. I would assume the eval prevention is to make sure people write safe JSON parsing code.

我在其他几个地方也看到过这种用法,但在 Google(邮件、日历、通讯录等)中使用得更多.奇怪的是,Google Docs 以 &&&START&&& 开头,而 Google Contacts 似乎以while(1);&&&START&&&.

I've seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, Google Docs starts with &&&START&&& instead, and Google Contacts seems to start with while(1); &&&START&&&.

这是怎么回事?

推荐答案

它可以防止 JSON 劫持,正式的主要 JSON 安全问题 已修复自 2011 年起a> 使用 ECMAScript 5.

It prevents JSON hijacking, a major JSON security issue that is formally fixed in all major browsers since 2011 with ECMAScript 5.

人为的例子:假设 Google 有一个类似 mail.google.com/json?action=inbox 的 URL,它以 JSON 格式返回收件箱的前 50 条消息.由于同源策略,其他域上的邪恶网站无法发出 AJAX 请求来获取此数据,但它们可以通过 <script> 标签包含 URL.使用 您的 cookie 访问 URL,并通过 覆盖全局数组构造函数或访问器方法 他们可以在设置对象(数组或哈希)属性时调用一个方法,从而允许他们读取 JSON 内容.

Contrived example: say Google has a URL like mail.google.com/json?action=inbox which returns the first 50 messages of your inbox in JSON format. Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a <script> tag. The URL is visited with your cookies, and by overriding the global array constructor or accessor methods they can have a method called whenever an object (array or hash) attribute is set, allowing them to read the JSON content.

while(1);&&&BLAH&&& 可以防止这种情况:mail.google 的 AJAX 请求.com 将拥有对文本内容的完全访问权限,并且可以将其剥离.但是插入<script>标签会盲目地执行JavaScript而不做任何处理,导致死循环或语法错误.

The while(1); or &&&BLAH&&& prevents this: an AJAX request at mail.google.com will have full access to the text content, and can strip it away. But a <script> tag insertion blindly executes the JavaScript without any processing, resulting in either an infinite loop or a syntax error.

这不解决跨站请求伪造的问题.

相关文章