Ticket #10925 (closed enhancement: invalid)
support parsing JSON when cross-site request protection is prepended
|Reported by:||brian@…||Owned by:||brian@…|
There are well-known vulnerabilities around how JSON responses can be hijacked from third-party sites by overriding Array/Object constructors or __defineSetter__ , and then embedding a script tag to pull the data. See for example http://haacked.com/archive/2009/06/25/json-hijacking.aspx .
We are protecting against this in our application by prepending all our JSON responses with a "while(1);" loop, and then modifying jQuery.parseJSON to strip that out. This prefixing is the current best practice, also followed by Google and Facebook. It'd be nice to have this support built into jQuery. Since a JSON response prepended by "while(1);" isn't a valid response, there's no ambiguity in adding code to remove it.
- Owner set to brian@…
- Priority changed from undecided to low
- Status changed from new to pending
- Component changed from unfiled to ajax