Side navigation
#10925 closed enhancement (invalid)
Opened November 29, 2011 06:03PM UTC
Closed December 15, 2011 08:13AM UTC
support parsing JSON when cross-site request protection is prepended
| Reported by: | brian@codekitchen.net | Owned by: | brian@codekitchen.net |
|---|---|---|---|
| Priority: | low | Milestone: | None |
| Component: | ajax | Version: | 1.7.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
There are well-known vulnerabilities around how JSON responses can be hijacked from third-party sites by overriding Array/Object constructors or !__defineSetter!__ , and then embedding a script tag to pull the data. See for example http://haacked.com/archive/2009/06/25/json-hijacking.aspx .
We are protecting against this in our application by prepending all our JSON responses with a "while(1);" loop, and then modifying jQuery.parseJSON to strip that out. This prefixing is the current best practice, also followed by Google and Facebook. It'd be nice to have this support built into jQuery. Since a JSON response prepended by "while(1);" isn't a valid response, there's no ambiguity in adding code to remove it.
Attachments (0)
Change History (5)
Changed November 29, 2011 06:12PM UTC by comment:1
Changed November 29, 2011 06:17PM UTC by comment:2
If there's interest in merging this, I'll write test cases as well.
Changed November 30, 2011 02:22PM UTC by comment:3
| component: | unfiled → ajax |
|---|---|
| owner: | → brian@codekitchen.net |
| priority: | undecided → low |
| status: | new → pending |
The article is 2.5 years old. Is this still an issue in browsers?
Chrome seems to have fixed it around v10-11.
Can you reproduce it in any of the supported browsers?
Also provide a testcase so we can confirm.
Changed November 30, 2011 04:56PM UTC by comment:4
Yeah that's a valid point. It's still an issue in some browsers we support, such as older Chromes and Safaris. And we're keeping the protection in place for the foreseeable future, to avoid any future issues. However since there's no known exploit for any jquery officially supported browser versions, it's understandable if you're not interested in merging it in.
Changed December 15, 2011 08:13AM UTC by comment:5
| resolution: | → invalid |
|---|---|
| status: | pending → closed |
Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!
Here's a patch against jQuery 1.7.1:
https://gist.github.com/1405777