support parsing JSON when cross-site request protection is prepended

[brian@…]

There are well-known vulnerabilities around how JSON responses can be hijacked from third-party sites by overriding Array/Object constructors or __defineSetter__ , and then embedding a script tag to pull the data. See for example  http://haacked.com/archive/2009/06/25/json-hijacking.aspx .

We are protecting against this in our application by prepending all our JSON responses with a "while(1);" loop, and then modifying jQuery.parseJSON to strip that out. This prefixing is the current best practice, also followed by Google and Facebook. It'd be nice to have this support built into jQuery. Since a JSON response prepended by "while(1);" isn't a valid response, there's no ambiguity in adding code to remove it.

[brian@…]

Here's a patch against jQuery 1.7.1:

 https://gist.github.com/1405777

[brian@…]

If there's interest in merging this, I'll write test cases as well.

[sindresorhus]

The article is 2.5 years old. Is this still an issue in browsers?

 Chrome seems to have fixed it around v10-11.

 It was fixed in Firefox 3.5.

Can you reproduce it in any of the  supported browsers?

Also provide a testcase so we can confirm.

[anonymous]

Yeah that's a valid point. It's still an issue in some browsers we support, such as older Chromes and Safaris. And we're keeping the protection in place for the foreseeable future, to avoid any future issues. However since there's no known exploit for any jquery officially supported browser versions, it's understandable if you're not interested in merging it in.

[trac-o-bot]

Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!