Skip to main content

Bug Tracker

Side navigation

#10925 closed enhancement (invalid)

Opened November 29, 2011 06:03PM UTC

Closed December 15, 2011 08:13AM UTC

support parsing JSON when cross-site request protection is prepended

Reported by: brian@codekitchen.net Owned by: brian@codekitchen.net
Priority: low Milestone: None
Component: ajax Version: 1.7.1
Keywords: Cc:
Blocked by: Blocking:
Description

There are well-known vulnerabilities around how JSON responses can be hijacked from third-party sites by overriding Array/Object constructors or !__defineSetter!__ , and then embedding a script tag to pull the data. See for example http://haacked.com/archive/2009/06/25/json-hijacking.aspx .

We are protecting against this in our application by prepending all our JSON responses with a "while(1);" loop, and then modifying jQuery.parseJSON to strip that out. This prefixing is the current best practice, also followed by Google and Facebook. It'd be nice to have this support built into jQuery. Since a JSON response prepended by "while(1);" isn't a valid response, there's no ambiguity in adding code to remove it.

Attachments (0)
Change History (5)

Changed November 29, 2011 06:12PM UTC by brian@codekitchen.net comment:1

Here's a patch against jQuery 1.7.1:

https://gist.github.com/1405777

Changed November 29, 2011 06:17PM UTC by brian@codekitchen.net comment:2

If there's interest in merging this, I'll write test cases as well.

Changed November 30, 2011 02:22PM UTC by sindresorhus comment:3

component: unfiledajax
owner: → brian@codekitchen.net
priority: undecidedlow
status: newpending

The article is 2.5 years old. Is this still an issue in browsers?

Chrome seems to have fixed it around v10-11.

It was fixed in Firefox 3.5.

Can you reproduce it in any of the supported browsers?

Also provide a testcase so we can confirm.

Changed November 30, 2011 04:56PM UTC by anonymous comment:4

Yeah that's a valid point. It's still an issue in some browsers we support, such as older Chromes and Safaris. And we're keeping the protection in place for the foreseeable future, to avoid any future issues. However since there's no known exploit for any jquery officially supported browser versions, it's understandable if you're not interested in merging it in.

Changed December 15, 2011 08:13AM UTC by trac-o-bot comment:5

resolution: → invalid
status: pendingclosed

Because we get so many tickets, we often need to return them to the initial reporter for more information. If that person does not reply within 14 days, the ticket will automatically be closed, and that has happened in this case. If you still are interested in pursuing this issue, feel free to add a comment with the requested information and we will be happy to reopen the ticket if it is still valid. Thanks!