• Now all data be ready for publish, We had made our blog alive now. Haha.



  • These days CCP GFW blocked all the IPs from US and when I switch my IP in google Cloud, the disk data cannot be restore again. I have to restart my blog totally, Now the website is still building…



Why does Google prepend while(1); to their JSON responses?- Stack Overflow

Python PingBook 2 months ago (10-26) 20 0

Question

Why does Google prepend while(1); to their (private) JSON responses?

For example, here’s a response while turning a calendar on and off in Google Calendar:

while(1);[[‘u’,[[‘smsSentFlag’,’false’],[‘hideInvitations’,’false’],
[‘remindOnRespondedEventsOnly’,’true’],
[‘hideInvitations_remindOnRespondedEventsOnly’,’false_true’],
[‘Calendar ID stripped for privacy’,’false’],[‘smsVerifiedFlag’,’true’]]]]

I would assume this is to prevent people from doing an eval() on it, but all you’d really have to do is replace the while and then you’d be set. I would assume the eval prevention is to make sure people write safe JSON parsing code.

I’ve seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, Google Docs starts with &&&START&&& instead, and Google Contacts seems to start with while(1); &&&START&&&.

What’s going on here?

Answer

It prevents JSON hijacking, a major JSON security issue that is formally fixed in all major browsers since 2011 with ECMAScript 5.

Contrived example: say Google has a URL like mail.google.com/json?action=inbox which returns the first 50 messages of your inbox in JSON format. Evil websites on other domains can’t make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a



Copyright from PingBook Blog, If not specified, they are original. This site uses BY-NC-SAProtocol authenticated.
For reprinting, please indicate the link of the original text:Why does Google prepend while(1); to their JSON responses?- Stack Overflow
LIKE (0)
[1725641479@qq.com]
SHARE (0)
PingBook
Author:
We create, We sharing! Tag every value data your sharing
Submit comments
Cancel comments
emoji picture bold strikethrough center italic check in

Hi,you need to provide your name and email adress!

  • Name (Required)
  • Email (Required)
  • Website